Press play to listen to this article
Amazon CEO Jeff Bezos last year told U.S. lawmakers the company has a policy that prohibits employees from using data about specific sellers to help boost its own sales.
“I cannot guarantee you that this policy has never been violated,” he added.
Now it’s clear why he chose his words so carefully.
An internal audit seen by POLITICO warned Amazon senior management in 2015 that 4,700 of its employees working on its own sales had unauthorized access to sensitive data of third-party sellers on the platform – even identifying a case in which a employee used this access to improve sales. .
Since then, reports of employees using information from third-party sellers to bolster Amazon’s own sales and evidence of lax IT access controls within the company suggest efforts to address the issue have been poor.
The revelations come as trustbusters around the world increasingly target Amazon, including how it uses data from third-party sellers to bolster its own offerings. The European Commission opened an investigation into this issue precisely in November 2020, with preliminary findings suggesting that Amazon had violated EU competition law.
“It fuels the suspicions I had,” Dutch internet entrepreneur Peter Sorber said when briefed on the audit. Sorber used to sell children’s clothing on Amazon, but 18 months after setting up his “Brandkids” store on the platform and entering the required sales data, his products disappeared from search rankings.
“You can’t ask a retailer to show their entire story with all the sales statistics and then show it to your own buyers. It’s worse than not done. It’s just unfair competition, ”Sorber said.
An Amazon spokesperson said that like all businesses, it checks its compliance policies and makes improvements based on its findings. “This includes Amazon’s internal seller data protection policy, which limits the use of seller data.”
Amazon has long denied reports that employees access data from individual sellers to develop competing products. Instead, he says he uses aggregate data in a way that’s common in retail.
But according to the internal audit document, Amazon bigwigs, including Jeff Wilke, the company’s number two until he left in March of this year, and current General Counsel David Zapolsky knew that insufficiently strict access restrictions meant dozens of insiders could inappropriately access vendor-specific data.
“Permissions are not limited enough, allowing unauthorized users to view vendor-specific information, such as performance history and authentication keys, change inventory levels and prices, and manage returns, ”the report says, which indicates that a previous internal audit had identified similar deficiencies in 2010.
“We identified a Vendor Manager who inappropriately reviewed a Seller’s available inventory to improve the likelihood and timing of the Vendor Manager’s winning buy box,” the 2015 report said, referring to a highly coveted list where the sellers on the platform compete fiercely with each other. more because it generates 80% of sales.
Amazon said it would not comment on any action taken against the manager of the supplier in question for confidentiality reasons. He said his employees are only allowed to use seller-specific data to support that seller, to protect Amazon customers, or to manage Amazon’s store, for example, deciding how to allocate space for that seller. inventory between sellers in a warehouse.
A former employee questioned Amazon’s internal controls.
“There was an access control system that allowed people who had the motivation to be good at their jobs to take data that they weren’t supposed to have,” said a person who worked in security. information at Amazon after the report was released and talked about it. a condition of anonymity for fear of reprisals.
Despite insufficient knowledge access restrictions as early as 2010, court cases, media reports and employee accounts since then suggest Amazon has done too little to prevent its retail staff from inappropriately using seller information to increase its own sales.
During the 2015 audit, Amazon’s middle management recognized and defined a plan to address the issues raised in the report. But the former information security insider called the tracking a “mess” and said problems with the digital tool used to access accounts lasted until at least 2018.
“Compliance in the name of compliance was not well received [by Amazon leadership]. Compliance that could achieve business objectives may have some success, ”said the information security professional, who had raised the issue of internal access restrictions.
Regulators have been revolving around Amazon’s dual role as a platform and a seller for some time.
In November 2020, the European Commission lodged a complaint against the tech giant for “systematically relying on non-public business data from independent sellers who sell in its marketplace, for the benefit of its own retail business. Amazon, which competes directly with these third-party sellers. ”
While acknowledging that data on individual sellers is part of the investigation, EU Competition Commissioner Margrethe Vestager said when filing the charges that her case against Amazon “is more about big data” – or analysis by the e-commerce platform of large data sets to drive decision-making.
When asked whether the EU executive had considered the audit report as part of its investigation into the Amazon data, the Commission said it “could not comment on the leaked documents” and that its “investigation was in progress ”.
Two people familiar with the matter said the Commission had seen the report.
EU competition experts say the easiest way for the Commission to tackle Amazon would be to tackle the use of individual data.
“Using aggregate data is more difficult because the average supermarket does it too,” said a lawyer who reviewed POLITICO’s findings on condition of anonymity because his firm represents a plaintiff in the case.
As Amazon’s dual role as a platform and a seller has become a primary concern of antitrust watchdogs on both sides of the Atlantic, the digital tool that made the abuse possible has so far present received little public attention.
The manager of the supplier identified in the audit report used this tool – internally called “spoofer access” – to conceal his identity and access the account as a seller, to view and modify the account profile, inventory and product pricing and to cancel orders.
By industry standards, access to the account should be restricted to certain people within the company. But the audit report says Amazon has left its access to spoofers widely open to unauthorized access by employees around the world – including in China – to access and modify sensitive information.
This isn’t the first time the way Amazon controls access to its systems internally has come under the heat.
In a POLITICO investigation released in February, former information security insiders accused Amazon of exposing millions of people’s data to breaches because it did not properly control access.
In it, a second former senior information security insider described the quality of the access controls Amazon put in place as “appalling” and that they “failed to meet with most of the people. listeners ”. A third insider confirmed that loads of personal information is accessible to people who don’t have the right role or responsibility. Amazon has dismissed these claims.
“All of Amazon’s tools are designed in such a way that you can use them for whatever purpose you want. This is the basic premise of Amazon’s rapid growth, ”said the first insider.
Not only did identity theft leave little digital traces for sellers, but it also hampered Amazon’s ability to monitor abuse, with the 2015 audit detailing how activity logs were “kept only for 30 days and do not provide enough data to investigate spoofer activity ”. This could imply that the actual abuse was much more prevalent than the single case identified in the report, which would correspond to the suspicions of many third-party sellers. The company declined to say whether the spoofer tool is still used internally.
Occasionally, stories of Amazon’s internal access issues reached the outside world, with several cases of fraud and angry employee pranks making headlines.
As recently as September 2020, U.S. officials accused Amazon insiders of leaking amounts of data, shutting down accounts of third-party sellers, and manipulating product reviews in exchange for bribes in a a system that lasted three years and resulted in losses of around $ 100 million for sellers. and the business.
In January 2016, a story went viral of an Amazon customer in Ireland who complained about the service and later found out that a giant dildo had been added to their cart, presumably by the employee who felt insulted.
Amazon’s spoofer access system appears to have only been publicly verified once, after an FBI agent discovered that an Amazon employee Vu Anh Nguyen had used the access to “broadcast falsely and fraudulently $ 96,508.13 in reimbursements to himself and others. “
When Amazon itself was the victim of identity theft in 2003, because fraudsters used his identity to send huge amounts of spam emails, current Amazon legal officer David Zapolsky said, “The spoofers are lying about who is actually sending these emails. Identity theft is a forgery, and we are attacking spoofers across the breadth of the law. “
You want more analyzes of POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to commerce, technology, cybersecurity and more, Pro delivers the real-time insights, in-depth insights and the scoops you need to stay ahead of the curve. E-mail [email protected] to request a free trial.