Amazon reports MOVEit related employee data breach, a year and a half after the incident

Amazon reports a data breach affecting employee information, stemming from a security incident at one of their third-party property management vendors. The breach was part of the broader MOVEit attacks from May 2023. The third-party vendor is not publicly identified.

A threat actor using the handle "Nam3L3ss" leaked the data on BreachForums. The threat actor claimed this leak represents "just a tiny portion of the data they have," suggesting potential for additional disclosures. The exposed data includes:

• Employee work contact information
• Work email addresses
• Desk phone numbers
• Building/office locations
• Names
• Employee contact information

Amazon claims that Social Security numbers, financial information or government identity documents were not exposed. The leaked dataset reportedly contains over 2.8 million records, though Amazon has not officially confirmed the exact number of affected employees.

Amazon confirmed patching the vulnerability exploited in the attack and that Amazon and AWS systems are reported to remain secure.

The company notified affected employees of the breach. It's unclear why Amazon did not disclose this incident as part of a regular incident reported and was only forced to do so after the hackers published the data. Either they didn't know or they didn't want to disclose. One doesn't know what is worse.