An apparent glitch in Amazon.com's computer system has released the e-mail addresses of some of Amazon's customers to another customer who participates in the company's Associates Program.
Associates customer Dave English said that when he logged into Amazon.com's Associates' page last week, he discovered that Amazon accidentally exposed other users' e-mail addresses to him.
"If you go to the Amazon Associates program log-in page and choose to have it e-mail you your password, it complains that the e-mail address you entered is invalid [even if it is fine]. Then if you hit the refresh button, you can end up seeing other e-mail addresses of other folks trying to retrieve their password as well," said English, president of Nashua, N.H.,-based Strategies Online Inc., which provides software quality assurance services to local software companies.
English said he believes the problem lies with the Web script that handles that process and is not an overall design flaw.
Although English notified Amazon.com about the problem on Aug. 31 -- he provided Computerworld with an Aug. 31 reply e-mail from Amazon.com saying the company was investigating the matter -- he said he was still able to access other users' e-mail addresses today.
An Amazon.com spokeswoman did not respond to several requests for comment.
Andrew Shen, a policy analyst at the Electronic Privacy Information Center in Washington, said Amazon.com, or any other online company notified of a security breach, has a responsibility to respond to the issue as quickly as possible and to notify customers about the problem.
"Customers expect that when they provide personal information to a company's Web site, they expect that information to be protected," he said. "There's no such thing as perfect security, but you have to respond quickly rather than later. Amazon has a responsibility to fix the problem as soon as possible and tell customers what happened."
However, Shen said, there is very little incentive for online companies to do so.
"There should be some sort of legal penalty for companies that don't respond to notification of a break-in in order to force companies to be more responsible," he said.
English said any developer could write a quick program -- in about 10 minutes -- that would automatically refresh the page and grab the e-mail addresses. English provided Computerworld with some of the e-mail addresses he said he shouldn't have been able to see.
"I could leave it running all day and easily scoop up hundreds of thousands of addresses if I wanted to," he said. "Of course I have no plans of doing this, but a spammer, or [Amazon's] competition would."
Richard Smith, chief technology officer at the Denver-based Privacy Foundation, a privacy research organization said, English's discovery was not unusual.
"It does happen [that] a glitch at a Web site gives out visitors' information," Smith said. "It seems like it could be a bug in the Web server program. This is one of the things that crops up."
In contrast to Amazon.com, another online retailer, Swedish home furnishings vendor Ikea International A/S, responded to a recent security breach as soon as it became aware of the problem.
Rich D'Amico, business development manager for Ikea North America, said that at about 8 p.m. Sunday night, someone broke into the company's catalog database file, which contains the names, addresses and telephone numbers of people requesting catalogs, and downloaded the file.
"We took it down completely so we could investigate it, and it's still down because we haven't finished yet," D'Amico said. "Whoever did this had a lot of [technical expertise] because he got around our high level of security."
D'Amico said Ikea is sending an e-mail to customers who were affected by the security breach informing them of what happened.