A German man was mistakenly sent Alexa voice recordings made by another user when he requested a copy of his own data from Amazon.
The unnamed individual contacted Amazon to ask for all the records the company held on him, a right EU citizens have as part of the recently enacted GDPR privacy legislation. When Amazon sent the man what he asked for, he also received 1,700 recordings from another Amazon customer’s Alexa commands. Confusingly, the man who requested the data does not own any Alexa-enabled devices himself.
He pointed out the mistake to Amazon, who then deleted the download link to the files, although it did not reply directly to his message.
Having saved the voice files already to his computer, the man sought the help of German tech publication c’t, which investigated further on his behalf. From the recordings, the magazine was able to figure out which devices the Alexa user owned, and that the Alexa user had a female partner who sometimes used voice commands too. Based on the pair’s questions about weather and traffic, and names of contacts they used, c’t was able to track them down on social media and make contact.
The affected Alexa user was able to confirm the details the magazine had gathered, and also told it that Amazon had not been in contact with him about the breach.
Upon contacting Amazon about this, c’t were told that the incident was an “unfortunate mishap”, and that everything between it and the two men had been settled. However, this was not the end of the story.
The Alexa user was contacted by Amazon about the breach only after the conversation between Amazon and c't took place, three days after he was first interviewed by the magazine. He was told that an Amazon employee had sent his data to the wrong GDPR requester, since he and the first man involved had both asked for their data. Amazon also claimed it had discovered the problem itself, erasing the involvement of the first man and c’t in bringing this issue to its attention. The victim was given a free Amazon Prime subscription and new Echo devices in compensation.
While Amazon’s behaviour towards the victim might seem unreasonable, c’t reports that the company is operating within the law. GDPR requires the offending party to inform affected users immediately only if there is a significant risk. Otherwise, the time period for explaining less severe breaches is open to interpretation.
As for penalties, it’s now in the hands of the German authorities to decide if and how Amazon should be punished for this lapse in data security.