Amazon Sends Couple's Intimate Alexa Recordings To Wrong Person | Zero Hedge

Amazon accidentally sent the wrong person approximately 1,700 audio files and a PDF containing transcripts of intimate conversations - all recorded over the company's in-home echo assistant. 

In August 2018, a German Amazon customer took advantage of the EU's General Data Protection Regulation (GDPR) to request whatever personal data Amazon had on file about him. Several months later, he received a link to download a 100MB ZIP file, according to German news outlet Heise.

About 50 of the zipped files contained data relating to  everyday things like Amazon searches, but there were also around 1,700 WAV files and a PDF cataloging unsorted transcripts of Alexa’s interpretations of his voice commands. Schneider was extremely surprised to find these files as he doesn’t use Alexa and doesn’t own any Alexa-enabled devices. He listened to some random sample files but didn’t recognize any of the voices they contained. -Heise

The man emailed Amazon on November 8 to notify them that they had sent the wrong customer's information, asking who they belonged to. When he hit a dead end, he contacted German computer magazine c't - feeling that the victim should be found and informed about the data breach which covered the entire month of May. 

We asked him to send us some of the files (confidentially of course) so that we could get an idea of what they contained. They enabled us to piece together a detailed picture of the customer concerned and his personal habits. It was obvious that ‘Customer X’ uses Alexa in multiple locations. He has at least one Echo at home and has a voice-controlled Fire box connected to his TV. A female voice also spoke to Alexa, so there was clearly a woman around at least some of the time. -c't via Heise

The Alexa device was able to hear the customer in the shower - as well as commands given to thermostats and other smart devices around the house. The man used Alexa at home, on his smartphone and when he is out and about. 

We were able to navigate around a complete stranger’s private life without his knowledge, and the immoral, almost voyeuristic nature of what we were doing got our hair standing on end. The alarms, Spotify commands, and public transport  inquiries included in the data revealed a lot about the victims’  personal habits, their jobs, and their taste in music. -c't via Heise

The investigative team was able to quickly identify the customer and his female companion based on first names, last names, weather queries and other information which led them to public data from Facebook and Twitter. When they could not find any contact information for the customer, the c't investigators asked Twitter to request that the victim contact them - which they did. The victim immediately called back, and was "audibly shocked" when they revealed what Amazon had accidentally sent to a stranger. The man confirmed that the investigators had correctly identified his girlfriend, and then began running through everything he and his friends asked Alexa - wondering what secrets they may have revealed. 

Amazon responded to c't's inquiries on what happened, calling it an "unfortunate mishap" which they had "resolved." 

The fact that Amazon linked a customer’s data to the wrong person and didn’t notice the mistake points to a severe lack of control over the processes involved. It is obvious that no serious checks took place. The situation is worsened by the fact that  Martin Schneider received no reply when he informed Amazon of the error. Furthermore, according to the victim, Amazon didn’t contact him either. Amazon’s data protection systems are obviously flawed on multiple levels. We contacted Amazon about the case without letting on that we had identified the victim. According to the law, Amazon is obliged to contact the data protection authorities within 72 hours of discovering such a breach, and we wanted to find out if they had actually done this (see the interview below). 

Amazon said that they an employee made a "one-time error" and claimed to have implemented new measures to ensure this doesn't happen again, after resolving the issue with both customers (by calling them, apologizing, and claiming they had discovered the error themselves). 

They also gave the victim a free Prime membership as well as new Echo Dot and Spot devices.