Amazon recently confirmed a data breach affecting employee information due to a vulnerability in a third-party vendor’s system. The breach, stemming from a flaw in the MOVEit Transfer software, exposed work-related contact details such as employee emails, desk phone numbers, and building locations.
Identified as CVE-2023-34362, the vulnerability is an SQL injection flaw that allowed attackers to bypass authentication controls and access sensitive data. First exploited in May 2023, this flaw has affected numerous companies, including Lenovo, HP, and HSBC, as well as over 2.8 million individuals, globally.
The cybercrime group “Nam3L3ss” claimed responsibility,revealing the stolen data and indicating the potential for further leaks. While Amazon assured that only employee work contact information was exposed, it confirmed that sensitive details such as Social Security numbers and financial data remained secure. Additionally, Amazon’s core systems, including Amazon Web Services (AWS), were reportedly unaffected by the breach. The third-party vendor has since addressed the security flaw, but Amazon has not disclosed how many employees were impacted.
This incident underscores the challenges companies face in managing cybersecurity across third-party services. Despite MOVEit’s vulnerability being patched, its effects continue to ripple through supply chains, highlighting the critical need for comprehensive security practices within vendor networks.
The MOVEit vulnerability has triggered a series of global cyberattacks, impacting over 2,000 organisations worldwide and exposing millions of personal records. As Nam3L3ss hints at additional leaks, this breach emphasises the ongoing risks in supply- chain security and the pressing need for businesses to strengthen cybersecurity in their partnerships.