Press play to listen to this article
Amazon CEO Jeff Bezos told U.S. lawmakers last year that the company has a policy prohibiting employees from using data on specific sellers to help boost its own sales.
“I can’t guarantee you that that policy has never been violated,” he added.
Now it’s clear why he chose his words so carefully.
An internal audit seen by POLITICO warned Amazon’s senior leadership in 2015 that 4,700 of its workforce working on its own sales had unauthorized access to sensitive third-party seller data on the platform — even identifying one case in which an employee used the access to improve sales.
Since then, reports of employees using third-party seller information to bolster Amazon’s own sales and evidence of lax IT access controls at the company suggest that efforts to fix the issue have been lackluster.
The revelations come as trustbusters worldwide are increasingly targeting Amazon, including over how it uses third-party seller data to boost its own offerings. The European Commission opened an investigation into precisely this issue in November 2020, with preliminary findings suggesting Amazon had breached EU competition law.
“This is fuel for the suspicions I had,” Dutch internet entrepreneur Peter Sorber said when told about the audit. Sorber sold children’s clothes on Amazon, but 18 months after setting up his “Brandkids” store on the platform and entering the required sales data, his products disappeared from the search rankings.
“You cannot ask a retailer to show his entire story with all sales statistics and then show that to your own purchasers. This is worse than not done. This is simply unfair competition,” Sorber said.
An Amazon spokesperson said that like all companies, it audits its policies for compliance and makes improvements based on its findings. “This includes Amazon’s internal seller data protection policy, which limits the use of seller data.”
Amazon has long denied reports that employees access data on individual sellers to develop competing products. Instead, it says it uses aggregated data in a way that is common across retail.
But according to the internal audit document, Amazon bigwigs including Jeff Wilke, the company’s number two until he left in March this year, and current General Counsel David Zapolsky knew that insufficiently robust access restrictions meant scores of insiders could inappropriately access seller-specific data.
“Permissions are not adequately restricted, making it possible for unauthorized users to view Seller-specific information such as performance history and authentication keys, edit inventory levels and pricing, and manage returns,” reads the report, which noted that an earlier internal audit had identified similar failings in 2010.
“We identified one Vendor Manager who inappropriately reviewed a Seller’s on-hand inventory to improve the likelihood and timing of the Vendor Manager winning buy-box,” the 2015 report said, in reference to a much coveted listing that sellers on the platform compete fiercely over since it drives 80 percent of sales.
Amazon said it would not comment on any action taken against the vendor manager in question for reasons of privacy. It said its employees are only permitted to use seller-specific data to support that seller, to protect Amazon’s customers or to run Amazon’s store by, for example, deciding how to allocate inventory space among sellers within a warehouse.
A former employee cast doubt on Amazon’s internal controls.
“There was an access control system that allowed people who had the motivation to be good at their job to take data they weren’t supposed to have,” said a person who worked in information security at Amazon after the report came out and spoke on a condition of anonymity because of fear of retaliation.
Despite knowing about insufficient access restrictions as far back as 2010, court cases, media reports and accounts of employees since then suggest that Amazon has done too little to prevent its retail staff from inappropriately using seller information to boost its own sales.
In the 2015 audit, Amazon middle management acknowledged and set out a plan to remedy the problems raised in the report. But the former information security insider called the follow-up “murky” and said problems related to the digital tool used to access accounts lasted at least until 2018.
“Compliance for the sake of compliance was not well-received [by Amazon leadership]. Compliance that could meet business goals could have some success,” said the information security professional, who had raised the issue of access restrictions internally.
Regulators have been circling around Amazon’s dual role as a platform and seller for some time.
The European Commission in November 2020 pressed charges against the tech giant for “systematically relying on non-public business data of independent sellers who sell on its marketplace, to the benefit of Amazon’s own retail business, which directly competes with those third-party sellers.”
While acknowledging that data on individual sellers is part of the investigation, EU Competition Commissioner Margrethe Vestager, when issuing the charges, said her case against Amazon “is more on big data” — or the e-commerce platform’s analysis of large data sets to drive decision-making.
Asked if the EU executive had reviewed the audit report as part of its Amazon data probe, the Commission said it “cannot comment on leaked documents” and that its “investigation is ongoing.”
Two people familiar with the matter said the Commission has seen the report.
EU competition experts argue that going after the use of individual data would be the easier way for the Commission to take on Amazon.
“The use of aggregate data is more difficult because the average supermarket does it too,” said a lawyer who reviewed POLITICO’s findings on a condition of anonymity because his firm represents a complainant in the case.
While Amazon’s dual role as a platform and seller has become a high-profile concern of antitrust watchdogs on both sides of the Atlantic, the digital tool that made abuse possible has so far received little public attention.
The vendor manager singled out in the audit report used this tool — internally referred to as “spoofer access” — to conceal their identity and access the account as the seller, to view and edit the account profile, the inventory and the pricing of the products and to cancel orders.
According to industry standards, account access should be limited to certain people within the company. But the audit report said that Amazon left its spoofer access wide open to unauthorized access by employees across the world — including in China — to access and modify sensitive information.
It’s not the first time the way Amazon controls access to its systems internally has faced heat.
In a POLITICO investigation published in February, former information security insiders accused Amazon of exposing millions of people’s data to breaches because it fails to properly police access.
In that report, a second former high-level information security insider described the quality of access controls that Amazon has in place as “appalling,” and that they “would not have passed muster with most auditors.” A third insider confirmed that reams of personal information were accessible to people who did not have the appropriate role or responsibility. Amazon rejected those allegations.
“All Amazon’s tools are built in such a way that you can use them for whatever purpose you want them to. That is the basic principle of how Amazon grew that quickly,” the first insider said.
Not only did spoofing leave few digital traces for sellers, it also hampered Amazon’s ability to monitor abuse, with the 2015 audit detailing how activity logs were “only retained for 30 days, and do not provide sufficient data to investigate Spoofer activity.” This could imply that actual abuse was much more widespread than the single case identified in the report, which would correspond to many third-party sellers’ suspicions. The company declined to comment on whether the spoofer tool is still used internally.
Occasionally, stories of Amazon’s internal access woes have reached the outside world, with several cases of fraud and pranks from angry employees making headlines.
As recently as September 2020, U.S. authorities accused Amazon insiders of leaking reams of data, shutting down third-party seller accounts and manipulating product reviews in return for bribes in a scheme that lasted three years and resulted in around $100 million in losses for the sellers and the company.
In January 2016, a story went viral of an Amazon customer in Ireland who complained about the service and later discovered a giant dildo was added to his shopping cart, probably by the employee who felt offended.
Amazon’s system of spoofer access seems to have been publicly name-checked only once, after an FBI agent discovered Amazon employee Vu Anh Nguyen used the access to “falsely and fraudulently issue $96,508.13 in refunds to himself and others.”
When Amazon itself fell victim to spoofing in 2003, because fraudsters had used its identity to send huge amounts of spam emails, Amazon’s current head of legal David Zapolsky said: “Spoofers lie about who’s really sending these emails. Spoofing is forgery, and we’re going after spoofers to the full extent of the law.”
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.