Amazon fined $2.25 million for refusing identity theft victim records
The U.S. Federal Trade Commission (FTC) has fined Amazon $2.25 million. The e-commerce giant is accused of refusing to provide identity theft victims with records of fraudulent transactions.

Amazon has been fined $2.25 million by the U.S. Federal Trade Commission (FTC) for allegedly refusing to provide records of fraudulent transactions to victims of identity theft. The FTC complaint stated that Amazon subjected victims to a "Kafkaesque ordeal," requiring them to identify the fraudster before releasing information.
Under Section 609(e) of the Fair Credit Reporting Act, companies are legally obligated to provide identity theft victims with access to application and business transaction records evidencing fraudulent activities within 30 days of a request. Amazon reportedly failed to comply with this requirement prior to February 2025.
In several documented cases, Amazon refused to share details about fraudulent accounts using victims' credit card information, citing "privacy" and "security." The FTC clarified that these grounds are not permissible under the law for denying such requests. One instance cited involved a victim being asked to guess the fraudulent account owner's name over 30 times.
Furthermore, Amazon allegedly lacked a formal policy to handle these requests until early 2025, implementing one only after learning of the FTC's investigation. The FTC expressed concerns that even after implementing a policy, Amazon continued to deny certain requests unlawfully.
The penalty highlights potential regulatory gaps concerning consumer protection in digital transactions, particularly regarding access to information for victims of identity theft.