Amazon boxes are stacked for delivery in the Manhattan borough of New York City. Picture: REUTERS
Amazon boxes are stacked for delivery in the Manhattan borough of New York City. Picture: REUTERS

Seattle — said on Wednesday it mistakenly shared customer data with undisclosed parties, a privacy misstep by the world’s biggest online retailer heading into its busiest time of year.

The company e-mailed an undisclosed number of customers to report that their e-mails and names were inadvertently shared due to a technical error that has since been fixed. It also told customers that changing passwords was not necessary.

“We have fixed the issue and informed customers who may have been impacted,’ Amazon said, declining to provide further details on who received the private information.

Whether Amazon faces government investigations and fines for the error depends on where the customers live, said Marc Rotenberg, president of the Electronic Privacy Information Center, an independent research group.

In the US, the Federal Trade Commission has been reluctant to probe potential privacy violations, but the European Union would likely investigate and levy fines if any of the data shared was from customers in its jurisdiction, according to Rotenberg.

“Under the European approach, this appears to violate a fundamental data protection obligation,” he said. “That will lead to an investigation and likely a fine.”

Online holiday sales will top $124bn this year, up 14.8% from a year earlier, according to Adobe. Thanksgiving, Black Friday and Cyber Monday will be among the biggest spending days in the US.

Amazon should have provided more information about the nature of the problem and advised shoppers to be on alert for e-mail “phishing” scams that could result from their contact information being shared, said Andy Norton, a director at cybersecurity firm Lastline.

“This could be viewed as one of the worst breach notes in history,” he said. “It is creating confusion and uneasiness, and creating more questions than answers, when it should have done the opposite.”

Target was the victim of a high-profile data leak during the 2013 holiday shopping season, when hackers stole credit — and debit-card data, as well as personal information, for tens of millions of customers. That dented sales and triggered a stock slump that contributed to the removal of CEO Gregg Steinhafel.