A former Amazon executive says the company doesn’t take customer data protection seriously enough. “It was put together by tape and bubblegum,” ex chief information security officer Gary Gagnon says in a new report published today by Wired and the Center for Investigative Reporting’s Reveal. Their investigation documents how Amazon’s mission to track and analyze every move we make as consumers—”what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who’s at your front door”—has backfired into a sort of Achilles’ heel for data security.
Gagnon says when he started in 2017, customer data protection was almost an afterthought. “It was shocking to me,” he tells Wired and Reveal. New consumer product launches were shrouded in “utmost secrecy,” yet employees were given astounding amounts of access to practically everything else, including customer information—with no checks in place to prevent abuse. In addition, he adds the data breaches occurring externally were “breathtaking.” (Apparently for two years, 24 million customers’ names and credit-card numbers sat outside Amazon’s secure payment zone, completely exposed.)
Gagnon also notes his team numbered about 300 when he was hired, but should have been “more like 1,000.” When he asked for more resources, global consumer business CEO Jeff Wilke would usually turn down the request. Gagnon came to believe InfoSec was seen as dead weight: Amazon Web Services’ separate security team had the ability to generate revenue through cloud data-protection products, but the consumer team was seen as draining money from the cool projects that “made Amazon faster, more profitable, and more pleasurable.” The publications report Gagnon warned Amazon was expanding too fast, and that the casualty was going to be data security.
A spokesperson for Amazon issued a generic statement calling their track record “exceptional” when it comes to protecting customer data. The spokesperson notes they’ve also invested billions over the years “to build systems and processes to keep data secure,” and adds they’re “constantly looking for ways to improve.”