What Happened
The U.S. Federal Trade Commission (FTC) has fined Amazon $2.25 million for systematically blocking identity theft victims from accessing transaction records they were legally entitled to under the Fair Credit Reporting Act (FCRA). The enforcement action targets Amazon's repeated violations of FCRA Section 609(e), which requires businesses to provide victims of identity theft with records of fraudulent transactions made in their name within 30 days of a valid written request.
How Amazon Obstructed Victims
According to the FTC's findings, Amazon's customer service agents and review processes created systemic barriers to compliance:
| Obstruction Method | Description |
|---|---|
| Privacy/security deflection | Agents cited vague "privacy" or "security" concerns to deny requests |
| False inability claims | Claimed records could not be located when they existed |
| Deadline violations | Provided records after the 30-day statutory window |
| Law enforcement refusals | Denied requests from law enforcement even with proper authorization |
| Policy confusion | Obstructed even when victims sent Amazon copies of the FCRA statute and FTC guidance |
These obstructions left victims unable to build fraud cases, recover financial losses, or clear their names — even in cases where Amazon held the definitive proof of fraudulent transactions bearing the victim's identity.
The Legal Framework: FCRA Section 609(e)
FCRA Section 609(e) was specifically designed to help identity theft victims reclaim their lives. The provision requires businesses — including retailers — to provide free copies of application records, business transaction records, or any other business record relating to a transaction involving the victim's compromised identity, when:
- The victim submits a written request
- The victim provides proof of identity
- The victim provides a copy of an identity theft report (police report or equivalent)
The business must comply within 30 days of receiving a complete request. There is no exception for privacy concerns when the requester is the fraud victim or law enforcement acting on their behalf.
Scope and Timeline
The FTC's order requires Amazon to:
- Pay $2.25 million in civil penalties
- Fulfill all lawful FCRA 609(e) requests within 30 days going forward
- Proactively notify all consumers who submitted records requests since April 2024 but never received the records they were entitled to
The retroactive notification requirement is significant — Amazon must now track down and fulfill requests it previously stonewalled, potentially affecting hundreds or thousands of fraud victims.
Why This Matters for the Cybersecurity Community
Identity theft victims frequently need records from major platforms like Amazon to:
- Document fraudulent purchases for law enforcement investigations
- Challenge fraudulent credit inquiries with credit bureaus
- Support civil litigation against fraudsters
- Demonstrate to financial institutions that they are victims, not perpetrators
When platforms obstruct this access, the downstream effect is that cybercrime investigations stall, fraudsters remain unaccountable, and victims bear both the financial and procedural burden of crimes committed against them.
This case is a reminder that consumer-facing companies have affirmative legal obligations to fraud victims — not just their paying customers.
What to Do if You're an Identity Theft Victim
If you believe fraudulent transactions were made using your identity on Amazon or similar platforms:
- File an identity theft report at IdentityTheft.gov (generates an official FTC report)
- Send a written FCRA 609(e) request to the business's legal or compliance department — include your FTC identity theft report and proof of identity
- Document all correspondence with dates and response times
- Report non-compliance to the FTC at reportfraud.ftc.gov if the 30-day window is missed