Amazon’s Poor Record of Internal Privacy Controls Has Enabled Corruption, Snooping, and Insufficient Logging

Will Evans, Wired:

Around the tail end of 2016, a guy named Gary Gagnon — a cybersecurity executive with decades of experience, primarily in federal government work — flew to Seattle to discuss becoming Amazon’s new vice president of information security. His last interview of the day was with Wilke, the consumer CEO, who met Gagnon in a small conference room off of his modest office, dressed in a flannel button-down and jeans. The outfit was part of a tradition, Gagnon recalls Wilke explaining: He always dressed like a warehouse worker during the peak holiday shopping season, to remind folks at headquarters of the people who really kept Amazon churning.


As he settled into his new role, Gagnon quickly realized that all was not well with “information security” — as he was urged to call it — at Amazon. The size of the company’s network was astounding, but “it was all put together with tape and bubblegum,” a tangle of old and new software, Gagnon says. “It grew up out of a garage and it just kept going from there.” New consumer products were locked down with the utmost secrecy before launch, Gagnon says. But otherwise it seemed like everyone on the network had access to nearly everything, including customer information — and yet there was no insider threat program dedicated to preventing rogue employees from abusing their access while he was there. More fundamentally, he says, the team didn’t seem to have any systematic way of prioritizing its biggest security risks. “It was shocking to me,” Gagnon says.

Every section of this article is a gripping story of internal failures, corruption, and weak excuses. According to Evans’ reporting, Amazon prioritized growth to such an extent that even basic internal privacy controls were not implemented, and tens of thousands of employees had access to far more information than required for their job. Customer details were routinely scavenged and sold, sometimes finding their way into the hands of sketchy third-party firms that blended together several data sources. Evans too often compares this to the Cambridge Analytica scandal at Facebook for my liking.

Yet, despite this exhaustive look at Amazon’s internal practices, Gagnon’s fate somehow gets only a passing mention. He was reportedly fired after a conference in London in circumstances “under dispute”. There is plenty more room for detail and it appears that Evans interviewed Gagnon, but we get no more information than Amazon’s acknowledgement of his termination. Strange.