Could Amazon Be Blocking *Your* Identity Theft Records When You Need Them Most?

July 4, 2026
by
Abhijay Bhatnagar
deleteme

You spot a charge you never made. You do the “right” things—freeze your credit, file a report, call the company. Then you hit the wall: “We can’t share that for privacy reasons.” That’s exactly what the FTC says happened to many people trying to get identity theft records from Amazon—and it’s why Amazon agreed to pay a $2.25 million civil penalty.  This post breaks down what you’re legally allowed to ask for under FCRA Section 609(e), the clock companies are supposed to follow, and how to make a request that’s hard to brush off.

What the FTC says went wrong (and why the “privacy” excuse matters)

When you report identity theft, you’re not asking a company to “take your word for it.” You’re asking for identity theft records—the receipts that show what happened so you can prove it wasn’t you.

The FTC says that’s where Amazon allegedly failed people. In the FTC’s account, identity theft victims asked Amazon for records tied to fraudulent transactions made in their names, and Amazon blocked access or didn’t provide what the law requires.

The core allegation: requests got denied, stalled, or treated like they weren’t allowed

According to reporting on the FTC complaint, Amazon customer service agents allegedly:

  • Denied requests for records of fraudulent transactions, citing “privacy” or “security” reasons
  • Told some consumers agents couldn’t access the requested records
  • Provided records only after the 30-day timeframe required under FCRA Section 609(e)
  • Even refused to provide application and business transaction records to authorized law enforcement who submitted requests on victims’ behalf

That combination—blocked access + “privacy” scripting + delays—is why Amazon agreed to pay a $2.25 million civil penalty to settle charges that it knowingly violated the FCRA.

Why the “privacy” excuse matters (and why it can trap victims)

“Privacy” sounds reasonable until you’re the person whose identity was used. If you can’t get the records, you’re stuck trying to prove fraud with half a story.

Without clear transaction and account details, it gets harder to:

  • File a police report that law enforcement can actually act on
  • Dispute charges cleanly and fast
  • Show the account wasn’t yours (or that the shipping address, device info, or contact info doesn’t match you)
  • Stop repeat attempts, because you don’t know what data the thief used and how they got in

The FTC even noted some consumers got so fed up they sent copies of the FCRA and FTC guidance to Amazon hoping it would break the logjam—yet Amazon still allegedly didn’t comply.

FCRA 609(e), in plain English: what you can request + the 30-day rule

When a company tells you it “can’t share anything,” FCRA Section 609(e) is the part that’s supposed to cut through the noise. It says identity theft victims can request specific records connected to the fraud—and those requests can also be made by authorized law enforcement acting for the victim.

Here’s the simplest way to think about what you can ask for under 609(e) identity theft records—the same three buckets the FTC called out in the Amazon matter.

1) Transaction records (the “what was bought” trail)

These are the records tied to the fraudulent transactions made in your name—the order-level proof that helps you show what happened.

Ask for items like:

  • Order/transaction IDs, dates, totals
  • Shipping details and delivery information (what was shipped, where it went)
  • Payment method details tied to the transaction (as the business has them)

2) Application records (the “how the account got opened” trail)

If someone opened a new account or credit line using your identity, application records help establish what info was used to set it up. The FTC reporting on Amazon specifically mentions application records as part of what was at issue.

3) Business transaction records (the “what the business saw internally” trail)

These are the records created as part of the company’s own business processes around the fraudulent activity. The FTC reporting again flags these as records Amazon allegedly refused to provide in some cases—even to authorized law enforcement.

Who can request these records?

You can request them directly as the victim. Also, law enforcement agencies authorized by the victim can submit requests on the victim’s behalf.

The 30-day rule (where a lot of people get stuck)

The timing piece matters. In the FTC’s telling, one key issue was that even when Amazon did provide records, it sometimes did so after the 30-day timeframe required by the FCRA.

If you’re going to make a 609(e) request, treat it like a deadline-driven process:

  • Day 0: you submit a clear, written request for 609(e) records tied to identity theft
  • By Day 30: the business is supposed to provide access to the lawfully requested records

That clock is a big deal because your other steps—police report follow-ups, charge disputes, and stopping repeat attempts—move a lot faster when you have the paperwork in hand.

How to request identity theft records without getting bounced between support reps

The fastest way to get bounced is to sound like you’re asking for “account info.” Don’t.

You’re making a specific legal request for identity theft records under FCRA 609(e) tied to fraudulent transactions made in your name. The FTC’s Amazon case coverage makes clear these record requests can get lost in regular support flows, including being rejected as “privacy” or “security” issues.

Step 1: Gather what you’ll need (before you contact anyone)

Keep it simple. Prepare a single PDF folder (or email attachments) with:

  • Your identity + contact info
  • Full name, current address, phone, email
  • A copy of a government ID (redact what’s not needed if you can)
  • Proof you’re the victim
  • Identity theft report or police report number (if you have it)
  • Any written confirmation that the transaction/account is unauthorized
  • Fraud identifiers (make it easy to search)
  • Order number(s), dates, amounts
  • Any case ID, chat transcript ID, or ticket number
  • Screenshot(s) of the suspicious charge/order page

Step 2: Send the request where it won’t die in chat support

Chat is fine for opening a case, but written requests are harder to ignore and easier to prove later.

Use:

  • The company’s fraud, legal, or identity theft intake address (email or mailing address)
  • If you can’t find one, start with customer support but immediately ask to be routed to the team that handles FCRA 609(e) requests

Step 3: Use a script that forces clarity (copy/paste)

Short. Direct. No drama.

Request script (victim):

Subject: FCRA 609(e) Request – Identity Theft Records

I am requesting identity theft records under FCRA Section 609(e) related to fraudulent transactions made in my name.

Please provide access to the transaction, application, and business transaction records associated with:

  • Name used: [Your name]
  • Email/phone on account (if known): [ ]
  • Order/transaction IDs: [ ]
  • Dates/amounts: [ ]

Attached are documents verifying I am the identity theft victim. Please confirm receipt and provide the records within 30 days.

Request script (law enforcement):

Subject: Authorized Law Enforcement Request – FCRA 609(e) Identity Theft Records

I am a law enforcement representative authorized by the identity theft victim to request records under FCRA Section 609(e).

Please provide the transaction, application, and business transaction records related to the fraudulent activity listed below. Attached is the victim’s authorization and supporting documentation.

The FTC coverage specifically notes issues where application and business transaction records weren’t provided even when authorized law enforcement requested them, so spelling out the record types helps avoid “we already sent what we can” loops.

Step 4: Document every touchpoint like you’re building a case file

Make a simple log (notes app or spreadsheet). For every contact, capture:

  • Date/time
  • Channel (chat, phone, email)
  • Agent name + department
  • Case/ticket number
  • What you asked for (paste your exact wording)
  • What they said (screenshots or copied text)

If you end up escalating, this timeline is your backbone.

Step 5: If you hear “privacy/security,” don’t argue—pin it down

In the Amazon reporting, “privacy” and “security” were the exact phrases tied to denials.

Your goal is to convert a vague refusal into something reviewable.

Use this escalation checklist:

  1. Ask for the policy in writing

“Can you send me the written policy that prevents responding to an FCRA 609(e) identity theft records request?”

  1. Ask for the right queue

“Please transfer this to a supervisor or the team handling fraud/legal identity theft record requests.”

  1. Restate the scope (keep it narrow)

“I’m requesting records related to fraudulent activity, not general access to an account.”

  1. Re-submit with tighter authorization (if law enforcement is involved)

Include a signed authorization from the victim and the officer/agency contact details.

If they claim reps “can’t access records,” treat that as a routing problem, not an endpoint. The FTC coverage describes instances where consumers were told agents weren’t able to access requested records.

What the proposed order changes, and the pattern behind it (Amazon + Kohl’s)

If you’ve already sent a clean 609(e) request and still got nowhere, the proposed order in the Amazon case is worth understanding for one reason: it’s aimed at how companies operationalize identity theft record requests, not just what the law says on paper.

What the proposed order pushes Amazon to do, operationally

Reporting on the FTC action highlights two big requirements baked into the proposed order:

  • Provide access within 30 days

Amazon would have to provide access to lawfully requested identity theft records to victims and authorized law enforcement within 30 days.

  • Notify certain consumers who may have been turned away

Amazon was also ordered to notify consumers who requested records since April 2024 but didn’t receive them that they may request additional records.

That second point matters more than it sounds. It’s basically the FTC acknowledging a real-world failure mode: people asked, got blocked or stalled, and then moved on—without realizing they might still be entitled to records that help clean up the mess.

The pattern: this isn’t “just an Amazon thing”

The same reporting ties the Amazon action to an earlier FTC case with a similar consumer pain point.

  • Kohl’s paid $220,000 to settle allegations after refusing to provide records of fraudulent transactions to identity theft victims.

Same theme, different retailer: when identity theft hits, victims often need business-held records to prove what happened. If internal support scripts or access controls treat those requests like a generic “privacy” issue, the victim is the one eating the delay—while the fraud risk keeps moving.

The bigger takeaway: the FTC is signaling that FCRA 609(e) compliance has to work at the frontline level, not just exist in a policy doc.

Two practical takeaways: protect your identity going forward + business compliance notes

The Amazon and Kohl’s actions share a blunt lesson: when identity theft hits, you may end up relying on a retailer’s internal records to clean up the damage. And if those records get stuck behind process, you lose time.

For individuals: reduce the blast radius before fraud starts

A lot of retail fraud gets easier when your real email and phone number are tied to every checkout, return, and shipping update. Once those identifiers leak or get recycled in scams, they become “keys” criminals keep trying on other doors.

A practical setup that lowers risk:

  • Use masked emails for shopping sign-ups

If one store gets breached or spams you, your primary inbox doesn’t become a permanent target.

  • Use a masked phone number for delivery updates and account recovery

This reduces SIM-swap bait, “your package is stuck” texts, and account takeover attempts that start with your phone.

  • Keep clean separation between:
  1. Your core identity (banking, payroll, government, medical)
  2. Your retail identity (shopping accounts, promo sign-ups, delivery notifications)

If you already juggle multiple accounts, Cloaked is one way to make that separation realistic day-to-day by letting you use aliases like masked email and phone for sign-ups, so a retail breach or sketchy form doesn’t automatically expose your real contact info.

For businesses: don’t let frontline scripts override legal obligations

The FTC’s Amazon reporting points to denials framed as “privacy” or “security,” plus delays beyond the required timeline.  That’s usually not a “bad agent” problem. It’s a workflow problem.

If you’re building an FCRA 609(e) compliance process, the checklist should look like this:

  • One intake path for identity theft record requests

A dedicated queue beats hoping a chat rep routes it correctly.

  • Support training that’s specific

Agents need to recognize “FCRA 609(e) identity theft records” as a distinct request type, not a generic account-access ask.

  • Record retrieval that actually works

If teams can’t access the records, they can’t provide them. The FTC reporting describes situations where consumers were told reps couldn’t access the requested records.

  • A clock you treat as real

The proposed order requires access to lawfully requested records within 30 days.

  • A law enforcement lane

The reporting also notes issues with providing application and business transaction records to authorized law enforcement.

If your “privacy” script is stopping legitimate identity theft victims from getting identity theft records, you’re not protecting customers. You’re freezing them out at the worst possible moment.

View all

Could Your Crypto Touch Iran by Accident? What the New Nobitex Sanctions Mean for You

Data Privacy
by
Arjun Bhatnagar

Could Your Ajax Account Be Affected by This Ticketing Data Breach—And What Should You Do Now?

Data Privacy
by
Abhijay Bhatnagar

Could Your Account Be in the Spectrum Data Breach—and What Should You Do Right Now?

Data Privacy
by
Pulkit Gupta