Posted on May 9, 2019 at 10:05 AM
Amazon’s UK branch has seen better times, as it was exposed to “extensive” fraud by still unidentified hackers that managed to siphon funds from merchant accounts over a six month period last year.
The company says that it was a victim of online hackers who had managed to break into over 100 merchant accounts and channeled money from loans and sales to their own bank accounts. According to the legal document filed in the UK, the breach took place between May and October of 2018. The redacted document, which was filed in November of last year, has finally been made public.
Amazon investigation finished
The online shopping giant said that while it was investigating the compromised accounts, it was found that that the malicious actors had changed account details on its Seller Central platform. They diverted the funds to accounts that were owned by Barclays Plc and Prepay Technologies Ltd (a company that is partly owned by Mastercard).
The general thought is that the accounts were compromised by successful phishing attacks that managed to extract valuable and confidential login information from the compromised merchants. The investigation is now finished according to a spokesperson for the company.
Many in the information security industry are using this as an example of how such a vast automated system with very little human input can be easily breached. It also points to the difficulty that Amazon had in finding the perpetrators responsible looking at how long the investigation has taken.
Amazon to Barclay: Show us the accounts
The lawyers for Amazon have asked a judge in London to approve searches of Barclay’s and Prepay accounts that are suspected of being involved in the breach. They believe that many of these accounts were used as middle-men and had seent heir owners be an innocent party that was mixed up in wrongdoing.
When Barclay’s was asked for a comment, they declined to comment on specifics, but they did reiterate that they close down accounts used by criminals to protect their customers. Prepay did not offer any comment whatsoever.
Amazon stated that they needed the documents “to investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing.” This was their line of reasoning used in the recent court filing.
What is missing from the filing, at this point, is how the malicious actors were able to add the details to “their” accounts at Barclay’s and Prepay. One of the Amazon units that were named in the filing is Amazon Capital Services UK, which provides short term loans to merchants to help with growth that was not expected nor planned for. These loans are one-year long maximum and serve only to provide a short term fix.
One thing that many in the industry want to know is how much of the cash that was issued last year as loans was siphoned. Amazon has not mentioned a number in the filing that was publically available, but they have mentioned previously that they issued over one billion dollars for 2018. While this might be a drop in the ocean for a company as large as Amazon, the real victims of this hack were the merchants.
Many smaller companies and sellers use the Amazon platform to extend their customer base and these loans would have been critical for them to keep their businesses afloat in a period where the demand was too high to keep up with available supply. The loans offered a reprieve until profits caught up with the increase in dem, and for goods, but with the siphoning hack, many could have seent heir businesses damaged beyond repair.
There is no data at this present time on what businesses were breached and what the fallout is expected to be, but it does show that online information security should be at the top of every merchant’s list so that something like this does not happen again.