Search TorNews

Find cybersecurity news, guides, and research articles

Popular searches:

Home » News » Cyber Threats » Amazon to Pay $2.25 Million FTC Fine over Identity Theft Records Violations

Amazon to Pay $2.25 Million FTC Fine over Identity Theft Records Violations

Last updated:July 1, 2026
Human Written
  • The FCT has announced a civil penalty of $2.5 million against Amazon for violating federal law.

  • The company has consistently either denied, delayed responses, or used privacy objections incorrectly to respond to customer requests.

  • Amazon is now mandated to improve its procedures and inform those customers who are affected.

Amazon to Pay $2 25 Million FTC Fine over Identity Theft Records Violations

Amazon has accepted to pay a $2.25 million penalty after the US Federal Trade Commission accused it of making life harder for victims of identity theft. Federal law requires companies to share these records.

The case hinges on the provision of Section 609(e) of the Fair Credit Reporting Act. According to this act, the victim has a legal right to receive business records associated with any fraudulent activity. The law requires that businesses deliver such records within thirty days after a legitimate demand.

The United States Department of Justice filed the complaint against Amazon following a referral by the FTC.

How Amazon Failed Victims

The FTC alleges that Amazon violated its legal obligations. The company’s customer service personnel often refuse to release records to customers. They cited supposed privacy or security concerns.

In other instances, the employees would tell customers that they cannot disclose the records. Other victims of fraud received the records beyond the legal time period.

Furthermore, the complaint states that Amazon denied law enforcement requests. These officers were authorized by victims to obtain records. That prevented investigators from gathering information to identify fraudsters.

Some consumers became so frustrated that they sent Amazon copies of the law. They also sent FTC guidance explaining the company’s obligations. Even then, Amazon still failed to comply.

A “Kafkaesque” Process

FTC Bureau of Consumer Protection Director Christopher Mufarrige described the ordeal. He said Amazon put victims through what he called a “Kafkaesque ordeal.”

One example from the complaint shows the problem. Someone used a customer’s payment card on a fake Amazon account without their consent. This individual requested for records regarding these transactions. However, Amazon didn’t comply.

Instead, Amazon allegedly required the victim to guess the name used on the fraudulent account. The victim reportedly guessed more than 30 names. None were correct. Amazon still did not remove the victim’s payment card from the fake account.

The commission argued that this request goes against the objectives of the law. Victims of identity theft are not aware of the person who stole their information. They require the records to trace down the identity thief.

What Amazon must do Now

The proposed court order goes beyond the financial penalty. Amazon must comply with Section 609(e) going forward. The company must provide requested records to eligible victims within 30 days. This also applies to authorized law enforcement agencies.

The importance of data protection is underscored by recent security incidents. Amazon’s One Medical is investigating a data breach after ShinyHunters claimed the theft of 8.8TB of data.

Amazon must also notify consumers who requested records since April 2024. Those who did not receive them can request additional records if available.

According to the FTC, there was no written policy at Amazon for these types of requests until early 2025. As the complaint stated, this policy had been developed only after the company found out about being under investigation.

Amazon’s Response

Amazon didn’t acknowledge any wrongdoings; however the company agreed to settle with the FTC. A statement by a company spokesperson revealed that Amazon had already settled the matter with the commission. They also said the company had already implemented process improvements for customers who believe they are identity theft victims.

The case remains pending until a federal judge approves the proposed settlement.

A Broader Pattern

The FTC described this as only its second enforcement action involving Section 609(e). Its first one involved a case the FTC filed in 2020 against retail department store chain Kohl’s. Kohl’s paid a civil penalty of $220,000 for similar violations.

This latest action adds to Amazon’s growing list of regulatory cases. In 2023, Amazon agreed to pay $25 million as a settlement for the FTC allegations related to children’s privacy issues and the Alexa voice assistant. The company has also faced enforcement actions over its Prime subscription practices.

While the $2.25 million penalty is small for a company of Amazon’s size, the FTC referred to it as a record civil penalty for a Section 609(e) violation. As stated by the agency, this case sets a message for companies to assist identity theft victims in getting the necessary records.

Share this article

About the Author

Memchick E

Memchick E

Digital Privacy Journalist

Memchick is a digital privacy journalist who investigates how technology and policy impact personal freedom. Her work explores surveillance capitalism, encryption laws, and the real-world consequences of data leaks. She is driven by a mission to demystify digital rights and empower readers with the knowledge to protect their anonymity online.

View all posts by Memchick E >
Comments (0)

No comments.