A new class action lawsuit accuses Amazon of secretly gathering and monetizing location data from millions of California residents without their consent. The legal complaint, filed in a U.S. District Court, alleges that Amazon used its Amazon Ads software development kit (SDK) to extract sensitive geolocation information from mobile apps. According to the lawsuit, plaintiff Felix Kolotinsky of San Mateo claims 

Amazon embedded its SDK into numerous mobile applications, allowing the company to collect precise, timestamped location details. Users were reportedly unaware that their movements were being tracked and stored. Kolotinsky states that his own data was accessed through the widely used “Speedtest by Ookla” app. The lawsuit contends that Amazon’s data collection practices could reveal personal details such as users’ home addresses, workplaces, shopping habits, and frequented locations. 

It also raises concerns that this data might expose sensitive aspects of users’ lives, including religious practices, medical visits, and sexual orientation. Furthermore, the complaint alleges that Amazon leveraged this information to build detailed consumer profiles for targeted advertising, violating California’s privacy and computer access laws. This case is part of a broader legal pushback against tech companies and data brokers accused of misusing location tracking technologies. 

In a similar instance, the state of Texas recently filed a lawsuit against Allstate, alleging the insurance company monitored drivers’ locations via mobile SDKs and sold the data to other insurers. Another legal challenge in 2024 targeted Twilio, claiming its SDK unlawfully harvested private user data. Amazon has faced multiple privacy-related controversies in recent years. In 2020, it terminated several employees for leaking customer data, including email addresses and phone numbers, to third parties. 

More recently, in June 2023, Amazon agreed to a $31 million settlement over privacy violations tied to its Alexa voice assistant and Ring doorbell products. That lawsuit accused the company of storing children’s voice recordings indefinitely and using them to refine its artificial intelligence, breaching federal child privacy laws. 

Amazon has not yet issued a response to the latest allegations. The lawsuit, Kolotinsky v. Amazon.com Inc., seeks compensation for affected California residents and calls for an end to the company’s alleged unauthorized data collection practices.

U.S. securities regulators are delving into the widespread MOVEit hack, which has left the personal information of over 64 million individuals exposed, according to the creators of the affected software.

Progress Software revealed in a recent regulatory filing that it has received a subpoena from the U.S. Securities and Exchange Commission (SEC), requesting "various documents and information" regarding the MOVEit vulnerability. 

“The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security,” the filing added. “Progress intends to cooperate fully with the SEC in its investigation

In the same filing, Progress assured that it anticipates only a marginal financial impact from the MOVEit mass-hacks, despite the extensive scope of the breach.

The company outlined expenses of $1 million related to the MOVEit vulnerability, accounting for both received and anticipated insurance reimbursements of around $1.9 million.

Nevertheless, Progress cautioned that potential losses may still occur, as 23 affected clients have initiated legal proceedings against the company and are seeking indemnification. Additionally, 58 class action lawsuits have been filed by individuals claiming to be affected.

Although almost half a year has passed since the discovery of the MOVEit zero-day vulnerability, the precise number of affected MOVEit Transfer customers remains uncertain. Cybersecurity firm Emsisoft reports that 2,546 organizations have confirmed being impacted, affecting more than 64 million individuals.

Fresh cases continue to surface. Just last week, Sony acknowledged that over 6,000 employees had their data accessed in an incident related to MOVEit. Flagstar Bank also disclosed that more than 800,000 customer records were pilfered.

In its filing, Progress Software disclosed incurring additional expenses of $4.2 million linked to a distinct cybersecurity incident in November of 2022.

The filing did not divulge specifics about the event. However, John Eddy, a spokesperson for Progress, representing the company through a third-party agency, verified that during that period, Progress Software had identified signs of unauthorized entry into its corporate network, including evidence of certain company data being exfiltrated. The incident was made public in December 2022.

Progress Software has not disclosed the types of data that were accessed or the number of individuals affected. Eddy informed TechCrunch that the company maintained full functionality throughout the 2022 incident, which was unrelated to any "recently reported software vulnerabilities."

The company affirmed that expenses associated with this incident primarily encompassed the engagement of external cybersecurity experts and other incident response professionals. It also noted that it received approximately $3 million in insurance settlements.