Amazon China staff were reportedly selling-on user data

Amazon is conducting an internal investigation into allegations that its staff in China received bribes from merchants for user data.

According to a report by the Wall Street Journal, staff of the online retailing giant’s China operation received between $80 and more than $2,000 to part internal user and sales data to brokers, who would then re-sell them to merchants who do business on Amazon platform. According to the WSJ report, it was not only Amazon’s internal sales metrics and users’ email addresses that were sold, also on offer was additional services. The staff would help the buyers to delete negative reviews and to re-open banned Amazon accounts.

It is said the malpractice was particularly rampant in Amazon’s office in Shenzhen, the city bordering Hong Kong. It is not the first time China’s online retailers suffered from data security comprise. Back in 2016 over 20 million of Alibaba’s users had their data hacked. Nor is this the first time that Amazon has found itself in the centre of data leaking controversies, but earlier cases were related to its cloud service AWS. So it is astonishing that in the present case, data was not breached by hacking but through blatant criminal transactions. It is not clear how many users have had their data sold.

Amazon released a statement saying “We have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behaviour, we will take swift action against them, including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action.”

Amazon set up its business in China in 2004 after acquiring a competing online bookshop Joyo with $75 million. It was rebranded Amazon China in 2011.

The security of Polar users’ data could be comprised, in a big way

The Finnish fitness device and software maker Polar has found itself in the centre of a data leaking scandal, which it’s feared could jeopardise the security of personnel on sensitive missions.

In a country where personal space and privacy is highly respected, Finland can be rather transparent too. Every year at the beginning of November, the tax office will grant public access to data on how much income and capital gains made by everyone in the previous year as well as how much tax has been paid.

The country also produced Polar, the company that invented the portable heart beat reader. More recently its professional heart beat monitor system was credited to be largely behind the scientific training at Leicester City Football Club, which went on to win the Premier League in 2016.

But it is safe to say Polar has taken transparency too far. After months’ investigation, the Dutch independent media De Correspondent, in conjunction with the British “citizen journalism” website Bellingcat, and the Finnish investigative journalist Hanna Nikkanen on Long Play (in Finnish), published the findings on how anyone with a Polar account was able to see all the details of anyone else who publicly shared their workout sessions on Polar’s user interface app Flow.

Data extracted include the names, as well as time-stamped GPS data of all the workouts uploaded since 2014. When zoomed out, the aggregated data would generate a clustered view of the user’ activity pattern on the map. This could lead to a rather accurate estimate of the user’ home base, where most exercises started and ended, including places in sensitive locations, e.g. military bases in Iraq or Afghanistan. With some additional cross-search on social networks, the user’s professional affiliation including those of the military and secret service, could be made available.

By the time they published their reports, the journalists had managed to gather personal and professional details of more than 6,000 Polar users, including those working for the NSA of the US, Britain’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, the Finnish military, as well as the Dutch MIVD.

The journalists notified the Dutch and Finnish authorities as well as reaching out to Polar before they published the findings. The app was disabled remotely on official phones issued to its employees by the Dutch and Finnish Defence Ministries, and warnings were sent out to private device users. However Polar did not formally take down the feature until yesterday (9 July), more than two weeks after being contacted by the journalists and after a forlorn attempt to defend itself by claiming that the company had not leaked the users’ data.

Finland’s Data Protection Ombudsman is looking into the matter. Because its failure to safeguard user data has affected users in other EU countries, the possibility that the case could be brought under the new GDPR cannot be ruled out.

Polar was not the first fitness app to score own goals. As a matter of fact, it was the high-profile case of Strava leaking training data in military bases, which made headlines at the beginning of the year, that prompted the independent journalists to look into the vulnerability of other apps, including Polar. What makes the Polar case stand out is the ease with which users’ private data could be extracted, and the slow reaction from the company.

The ramification of the case could be profound. The journalists have found that similar data could also be extracted from other fitness apps like Endomondo, Runkeeper, Garmin, albeit with a bit more skill. This could result in authorities banning all similar apps from use by employees in sensitive functions, just to be on the safe side. The Finnish military had already banned the sharing of location data on social networks even before the Strava case, but the rank and file servicemen and the reservists largely ignored the order, according to Long Play.

In her testimony to the Congress, the newly appointed Director of the CIA, Gina Haspel, declared she has no social network accounts. This could move from voluntary decision to mandatory order for employees on sensitive missions. Profiles on social networks like LinkedIn and Facebook have made it straightforward for the journalists to join dots and put together the Polar users’ personal and family details, functions, and locations.

In our latest annual survey published at the end of last year, nearly 95% of the network operators called security as being either critical (69%) or important (25%) to their company’s overall technology and business. Clearly other service providers including device makers and app developers should also enhance their awareness and subject their products to more rigorous security tests.