Amazon has confirmed that a recent data breach exposed sensitive employee information, including email addresses, phone numbers, and building locations, as a result of a third-party vendor’s security lapse. The breach traces back to the widely publicized MOVEit file transfer vulnerability, which compromised numerous organizations worldwide in 2023. According to Amazon spokesperson Adam Montgomery, “Amazon and AWS systems remain secure, and we have not experienced a security event,” emphasizing that no financial data or personal identification numbers were affected.
The leaked data reportedly dates to May 2023 and has been linked to a property management vendor used by Amazon and other major companies, including MetLife, HP, HSBC, and Canada Post, according to cybercrime research firm Hudson Rock. This firm revealed that a hacking forum now contains data impacting a range of entities, with Amazon’s portion alone amounting to over 2.8 million lines of information.
The MOVEit file transfer vulnerability has had enduring repercussions across industries, affecting high-profile organizations such as the BBC, Sony, and the U.S. Department of Energy. Experts like Nick Mistry, SVP and Chief Information Security Officer of cybersecurity firm Lineaje, caution that this breach serves as yet another stark reminder of the inherent risks in relying on third-party providers.
“The breach involving Amazon’s third-party property management vendor is the latest stemming from the MOVEit Transfer incident from 2023,” Mistry noted. “Although the breach is over a year old, its persistent aftereffects continue to underscore a critical issue for organizations today – the security risks posed by external partners.”
Mistry’s insights reflect a growing concern about third-party risk management as organizations increasingly rely on external vendors for critical operations. “Recent Lineaje research reveals that an average of 250 components with unknown origins lurk within every application, creating significant points of exposure for the software supply chain,” he said.
In today’s threat landscape, businesses cannot assume that securing their internal systems is enough; the software and systems of third-party vendors represent a major vulnerability.
This incident underscores the urgency of proactive third-party risk management. Mistry recommends regular security audits and ongoing monitoring of third-party software as critical steps in maintaining the security of an organization’s broader ecosystem. “Having a robust incident response plan that zeroes in on third-party threats is essential, so organizations can promptly identify and reduce any risks resulting from vendor partnerships.”
With supply chain attacks and vendor-related vulnerabilities on the rise, cybersecurity experts agree that companies must maintain stringent security standards not only within their own systems but across the entire software supply chain. The Amazon breach highlights a need for organizations to reassess and reinforce their third-party security measures before the next vulnerability turns into a full-blown crisis. As Mistry emphasized, “The security of your ecosystem extends far beyond the reach of your own systems and infrastructure. Now is the time to reassess your third-party security practices before the next vulnerability becomes a costly breach and reputational nightmare.”