Alexa Leak Reveals Private Audio Recordings to Another User

An Alexa leak has taken place as a result of a GDPR request by a customer of Amazon’s German website. The customer wanted some files and he got them from the retailer — but the files belonged to a completely different person.

One of the provisions of the GDPR effectively allows a citizen of the EU to request any data a company may have on them. An unnamed customer of Amazon.de did exactly that and was surprised to receive over 1,700 files from the company. Surprisingly, the audio recordings were of someone else entirely.

It’s difficult to tell exactly how this Alexa leak took place. The company referred to the incident as an “isolated single case” and blamed the issue on human error. The consequences of this Alexa leak could have been terribly serious, especially because of the nature of such a device.

The magazine C’t had contacted the customer who erroneously received the recordings and received some of them. They began an analysis [PDF] of these voice files and were able to piece together several key facts about the original owner of the sound files:

  • The Alexa leak voice recordings were of a man.
  • A woman also spoke on the device, implying that he lives with a woman or a woman visits frequently.
  • The man had at least two devices: a voice-controlled Fire box and (of course) an Echo.
  • Questions about weather and public transportation gave the magazine an idea of the user’s location.
  • Spoken first names (and an occasional last name) allowed them to track down the user via social media.

Ultimately, C’t contacted the victim of the Alexa leak and informed him of the situation. Surprinsgly, he had stated that he was not told by Amazon about the breach. Furthermore, the erroneous recipient of the files had also received no response from Amazon when he had reported the issue to them.

Although Amazon has made a statement on the matter, it’s unclear whether or not they’ve correctly followed procedures for such a data breach as outlined in the GDPR. They have 72 hours from notification of a breach to inform the affected customers and we can’t be certain whether or not they complied within the prescribed timeframe. However this turns out, one ought to keep in mind what they’ve said to their voice-controlled devices and what might happen if that information gets loose in the world.

[via KnowTechie]