Amazon has agreed to pay $2.25 million to settle federal allegations that it denied identity theft victims access to business records they needed to investigate fraudulent transactions made with their personal information.
The Justice Department filed the case June 29 in the U.S. District Court for the District of Columbia after a referral from the Federal Trade Commission. The two-count complaint accuses Amazon.com Inc. of knowingly violating the Fair Credit Reporting Act by failing to provide records to identity theft victims and by failing to respond within the 30-day deadline required by federal statute.
Federal regulators claim Amazon entered into transactions with people who allegedly used another person’s identifying or financial information without permission, then failed to turn over application and transaction records when victims asked for them. The records at issue can include details about fraudulent accounts, unauthorized charges, and purchases connected to a victim’s stolen information.
The case centers on Section 609(e) of the Fair Credit Reporting Act, a provision that gives identity theft victims a right to obtain certain records from businesses connected to the alleged fraud. The rule applies when a company has provided goods or services, accepted payment, or otherwise entered into a commercial transaction with someone believed to have used another person’s information without authorization.
That access can be important because victims often need transaction records to dispute charges, file police reports, work with law enforcement, and understand how their information was used. The statute also allows those records to be sent to a law enforcement agency when the victim authorizes that step.
Businesses may verify that the person requesting records is the victim. The statute permits companies to ask for proof of identity, such as a government-issued identification card, and proof of the identity theft claim, such as a police report and affidavit. The government argues Amazon went beyond those verification steps by denying access for reasons not allowed under Section 609(e).
Regulators claim Amazon often cited security or privacy concerns when consumers asked for records tied to fraudulent accounts or charges. The FTC says those concerns did not permit Amazon to refuse records when a victim had made a proper request under the federal consumer protection provision.
One consumer identified in the filing allegedly contacted Amazon in June 2023 after unauthorized charges were made through a fraudulent account. A company representative allegedly said the consumer could not receive details about the account for security reasons unless the consumer guessed the name on it. The consumer made more than 30 guesses before giving up, the filing states.
Investigators also say Amazon denied some requests because consumers could not identify the fraudulent account holder, even though that information was part of what the victims were trying to obtain. In other instances, company representatives allegedly told consumers that they could not access the requested records.
The government also claims Amazon refused to provide records to law enforcement agencies that had been authorized by identity theft victims to receive them. Some representatives allegedly told officers they needed a subpoena or other legal process, though regulators say that was not a valid basis to deny a victim-authorized request under Section 609(e).
Amazon did not have a written policy for responding to Section 609(e) requests until early 2025, the government claims. FTC staff had advised Amazon’s counsel in June 2023 to review the company’s compliance after receiving a consumer complaint. The same consumer allegedly tried again to obtain records several months later but did not receive them until after the FTC notified Amazon in January 2025 that it was investigating the company’s practices.
The enforcement action relies on both the Fair Credit Reporting Act and the FTC Act. When the FTC enforces an FCRA violation, that conduct can also be treated as an unfair or deceptive act or practice under Section 5 of the FTC Act. That connection allows the government to seek civil penalties and a court order requiring future compliance.
The proposed stipulated order would require Amazon to pay the $2.25 million civil penalty within 7 days after court entry. The FTC described the amount as a record penalty for a Section 609(e) violation.
Beyond the payment, Amazon would be barred from failing to provide covered records to verified identity theft victims or authorized law enforcement agencies. The order would also require the company to post a notice on its website for 3 years explaining how victims can request records tied to a fraudulent account or transaction.
Amazon would also have to search for eligible identity theft victims who submitted written requests from April 1, 2024, through the date of the order but did not receive the records connected to their claims. The company would then have to notify those consumers that it may have additional records and explain how they can request them.
Amazon neither admits nor denies the allegations in the complaint, except as stated in the proposed order for purposes of establishing jurisdiction.
The proposed order includes compliance reporting, record retention, and monitoring requirements. It would remain in effect for 10 years after court entry.