When your sellers obtain your data

19.11.2021

Back to news

California Pizza Kitchen has reported a breach taking the safety of data belonging to more than 100,000 employees, both resigned and those who still work.

The report claimed that the incident was discovered by the company on September 15, 2021. California Pizza Kitchen, operating in 32 states, inadvertently compromised Social Security numbers of 104,000 workers.

The investigation was launched straight after the company detected an abnormal activity in the systems and secured the environment. No additional specific information was given about what data got impacted. The users who were at risk of having been affected received an access to free TransUnion credit monitoring services for a year.

Amazon customer data got resold to Amazon’s vendors. Amazon’s proprietary program is to blame, with its help the company’s contractors were taking customer data from the giant. The incident occurred back in 2018.

The program was designed to assist sellers with evaluation of product performance. One Chinese company working with Amazon could collect data stored on Amazon servers with the help of that tool. It even created a services based on this data – AMZReview. The service was advertised by this company to other third-parties cooperating with Amazon to increase their rankings.

AMZReview system obtained 16 million records, but according to Amazon department responsible for security, there were about 4,8 million individuals’ data involved.

The company failed to discover the events of data misuse as well as who exactly could misuse it. Anyway, apparently about 50% of Amazon’s sellers could be blamed for abuse of power and the company’s rules.

Amazon decided to restrict the amount of information which can be accessed by third parties, the sellers were also asked to remove any data of Amazon clients saved before. It has also been announced that AMZReview was shut down.


Amazon breach might have been prevented if a company had deployed a monitoring system controling suspicious user activity within a system or via various communication channels.