Are Amazon Merchant Data Risks a Global Concern?

Data has implications that are both financial and personal, such as social identifiers that could lead to fraud and theft

News of data breaches dominate headlines when they occur, but the constant struggle to patch existing vulnerabilities and protect against new ones doesn’t garner much attention. Companies and individuals reading about events like Facebook’s recent Cambridge Analytica scandal are rightfully scared about how their data is being used, but the word ‘data’ doesn’t immediately depict the value being fought over.

Data has implications that are both financial and personal, such as social identifiers that could lead to fraud and theft, but also general information that gives larger entities such as corporations or even countries an advantage over others.

Far from a flash in the pan, data breaches are an ongoing threat facing entities of all sizes, and this is evidenced well by an issue that Amazon merchants and users might face on the platform.

It lends credence to the fact that a more suitable analogy for what we’re now seeing is a persistent “Cold War” over data, because attacks and risks aren’t necessarily one-off, but a state of tension between those that want data and others who want to keep it private.

Countries like China wage this data war using one of their most powerful weapons: trade dominance for items sold online, but specifically on

Amazon is a Global Battlefield

Amazon is the world’s leading eCommerce hub, serving 50 million households and over 300 million people, and buyers and sellers active on its platform arrive from countries around the world. In fact, this is a primary reason for its success. Of the sellers on Amazon, it is no surprise that China is heavily represented, with 34% of top sellers based in China alone.

An impressive 250,000 more Chinese joined during 2017 in this role, which makes sense given China’s manufacturing dominance and proclivity for eCommerce. However, this imbalance has unintended consequences.


With supremacy over the supply side on Amazon, Chinese payment processors and merchants have leverage over those that they do business with in the West. The services in use by the Chinese, such as Lianlian Pay and Ping Pong, have used this influence to gain more than money from the customers and smaller merchants who wish to sell Chinese goods in their stores.

Western Amazon merchants allow relevant suppliers, payment processors, CRM platforms, ERP solutions, logistics providers and other value-added services to plug into their Marketplace Web Services (MWS) API. This is necessary to keep inventory, payment, shipping, and other business flows inexpensive and autonomous.

However, to link their stores with Chinese suppliers and the array of peripheral Chinese services attached to them, Western merchants are often asked to hand over the private key to their MWS API.

While Amazon does require a merchant to grant API access to suppliers and other relevant service providers, it’s supposed to come in the form of a secure developer ID, which limits the information that the connected party has about the merchant. The way this is communicated is a bit confusing and leaves room for negligent merchants to be scammed:

“Give your Developer ID to the seller who wants to use your services as a developer. When the seller authorizes you as a developer, they use your Developer ID to give you developer access to their selling account. The seller must also provide you with their Seller ID, so you can make calls to Amazon MWS on their behalf.”

Merchants are frequently tricked or forced into handing over their private key instead of simply granting dev access. If they discover the ruse or refuse to comply, they can’t obtain China’s competitively priced wares, impacting their bottom line.

With over 500,000 Chinese companies operating on Amazon today, the vast majority of whom use local Chinese third-party companies for added value services, it’s estimated that over 50% are accessing data via secret key in this manner. This means that they’re gleaning very sensitive information from merchants, including personal information, credit card numbers and payment history, internal prices from competing merchants, and more.


The Cold War on Data

Countries understand this threat intimately and are trying to establish new laws and regulations over data, to keep individuals protected even as oversight moves in a more global direction. This idea runs parallel to the current trade wars exhibited between countries like the US and China.

Data on trade is just as valuable as a tariff on certain goods as it helps to inform and give an advantage to the entity on the winning (hacking) side. For each new rule or rapid response from affected nations, there is an equal effort on the part of their competitors to find loopholes in compliance, which is ultimately controlled by the platform serving as the battlefield.

Amazon isn’t doing much to quell the data battle raging on their site, unfortunately. If one looks at how easy it is to pass muster and register as an Amazon developer, for example, this much is obvious. Amazon developers must be vetted more thoroughly, because if a company with malicious intentions is allowed to obtain a Developer ID and therefore access partner merchant APIs (and more if they can manage it), the entire ecosystem is compromised.

Sellers can always refuse to give their private keys, of course, but then they’re easily priced out of the market by Chinese rivals.

This late trend has played out against global regulations for data privacy, but China’s software and hardware-adjacent spying attempts are already old news. In 2015, Amazon was also involved in a potentially scandalous attempt at data theft, though it wasn’t their fault and was much more serious.

The company discovered Chinese chips soldered onto the motherboards of their US-based server provider, leading to an enormous investigation uncovering backdoors into the US Department of Defense, military, and other key institutional databases.

Guarding Consumers as Commerce Goes Global

It’s easy to tell someone to be careful about who they give their data to, but in reality, it’s not cut and dry. People and companies are vulnerable in places where they least expect to be, and even the most secure individual can be exposed if the hardware manufacturer they trust cuts corners with Chinese hardware. An absence of due diligence in the supply chain might put millions of people at risk, and this something that no one person can guard against.

Thankfully, places like the EU are leading the way in how data is protected, but also how it’s shared. As data moves more commonly in global channels, new technology and standards like blockchain and GDPR help to protect it.

Regulators are also forcing giant technology companies like Facebook and Airbnb, upon which global data and commerce is abundant, to change their Terms of Service and close gaps in terms of compliance and respecting consumer’s rights. This represents a ray of sunshine on the future horizon, though for the present, it pays to be informed and wary.

Disclaimer: This is a contributed article and should not be taken as investment advice

Got a news tip? Let Us Know