Alexa leak

Alexa Leak Reveals Private Audio Recordings to Another User

An Alexa leak has taken place as a result of a GDPR request by a customer of Amazon’s German website. The customer wanted some files and he got them from the retailer — but the files belonged to a completely different person.

One of the provisions of the GDPR effectively allows a citizen of the EU to request any data a company may have on them. An unnamed customer of Amazon.de did exactly that and was surprised to receive over 1,700 files from the company. Surprisingly, the audio recordings were of someone else entirely.

It’s difficult to tell exactly how this Alexa leak took place. The company referred to the incident as an “isolated single case” and blamed the issue on human error. The consequences of this Alexa leak could have been terribly serious, especially because of the nature of such a device.

The magazine C’t had contacted the customer who erroneously received the recordings and received some of them. They began an analysis [PDF] of these voice files and were able to piece together several key facts about the original owner of the sound files:

  • The Alexa leak voice recordings were of a man.
  • A woman also spoke on the device, implying that he lives with a woman or a woman visits frequently.
  • The man had at least two devices: a voice-controlled Fire box and (of course) an Echo.
  • Questions about weather and public transportation gave the magazine an idea of the user’s location.
  • Spoken first names (and an occasional last name) allowed them to track down the user via social media.

Ultimately, C’t contacted the victim of the Alexa leak and informed him of the situation. Surprinsgly, he had stated that he was not told by Amazon about the breach. Furthermore, the erroneous recipient of the files had also received no response from Amazon when he had reported the issue to them.

Although Amazon has made a statement on the matter, it’s unclear whether or not they’ve correctly followed procedures for such a data breach as outlined in the GDPR. They have 72 hours from notification of a breach to inform the affected customers and we can’t be certain whether or not they complied within the prescribed timeframe. However this turns out, one ought to keep in mind what they’ve said to their voice-controlled devices and what might happen if that information gets loose in the world.

[via KnowTechie]

Upcoming Releases
Kindred Fates is an open world monster battling RPG, and a love letter to the monster battle genre. Our goal is to evolve the genre, and finally bring fans what they've been asking for.
Inspired by the beauty of the natural world around us, Everwild is a brand-new game in development from Rare where unique and unforgettable experiences await in a natural and magical world. Play as an Eternal as you explore and build bonds with the world around you.
Atlas is an action-rpg with rogue-like elements where you use your ability to control the ground to fight the enemies and move through procedurally generated worlds.
Reviews
X