Amazon Fined $2.25 M for Withholding Identity‑Theft Victims’ Transaction Records
What Happened — The U.S. Federal Trade Commission (FTC) announced a $2.25 million civil penalty against Amazon for blocking identity‑theft victims from accessing their transaction records, in violation of Section 609(e) of the Fair Credit Reporting Act (FCRA). The agency also cited Amazon’s refusal to share records with law‑enforcement agents and delayed delivery beyond the FCRA‑mandated 30‑day window.
Why It Matters for Compliance & Audit Readiness
- The incident highlights the need for documented, auditable processes that guarantee timely data‑subject access requests—exactly the type of control SOC 2 Trust Services Criteria (CC6.1, CC6.2) require.
- Continuous monitoring of access‑control workflows and evidence collection can demonstrate compliance with both FCRA and SOC 2, providing defensible audit trails.
- Leveraging Verisq’s SOC 2 Access Controls capability helps map request‑handling procedures to audit evidence, ensuring you can prove “right‑to‑access” compliance at any moment.
Who Is Affected — Retail/e‑commerce platforms, large online marketplaces, and any organization that stores consumer transaction data and must respond to FCRA‑type requests.
Recommended Actions
- Review and formalize your data‑subject access request (DSAR) process against FCRA/CCPA requirements; map each step to SOC 2 controls.
- Implement continuous evidence collection for request handling (timestamps, approvals, fulfillment logs) to satisfy audit evidence needs.
- Conduct a gap analysis of current privacy‑policy communications to ensure agents are not mis‑representing “privacy” as a reason to deny lawful requests.
Source: BleepingComputer
Technical Notes — No technical exploit was disclosed; the issue stems from internal policy and procedural failures rather than a software vulnerability. The FTC cited repeated refusals by customer‑service agents and delayed record delivery beyond the statutory 30‑day deadline. Source: same as above