FTC Fines Amazon $2.25 Million for Denying Identity-Theft Victims Their Fraud Records Under the FCRA

FTC Fines Amazon $2.25 Million for Denying Identity-Theft Victims Their Fraud Records Under the FCRA
The Federal Trade Commission announced on June 30, 2026 that Amazon agreed to pay a $2.25 million civil penalty to resolve charges that it knowingly violated the Fair Credit Reporting Act by refusing, for years, to give identity-theft victims the records of fraudulent accounts opened in their names. It is the largest penalty ever imposed under Section 609(e) of the FCRA.
Information last verified on July 1, 2026. This is a developing story; we update it as the record changes.
Status: Announced by the FTC on June 30, 2026. The Department of Justice filed a complaint and a proposed stipulated order on the FTC's referral; the order takes effect once approved and entered by the federal court.
Jurisdiction scope: This article addresses a federal enforcement action under the Fair Credit Reporting Act, a federal statute that applies nationwide. It explains the law generally and does not advise on any specific dispute. For related state-level rules, see background check laws by state and data breach notification requirements.
What Happened
On June 30, 2026, the FTC announced a settlement requiring Amazon.com, Inc. to pay a $2.25 million civil penalty to resolve allegations that it knowingly failed to comply with Section 609(e) of the Fair Credit Reporting Act. The Department of Justice, acting on a referral and notification from the FTC, filed the complaint and a proposed stipulated order in federal court. The order becomes binding once the court approves and enters it.
Section 609(e) gives a victim of identity theft the right to obtain, within 30 days of a written request, the application and business transaction records connected to accounts or transactions that a thief opened or made in the victim's name. According to the FTC, Amazon frequently did not provide those records. The agency alleged that Amazon customer-service representatives told victims the company could not release the records for security or privacy reasons, and that Amazon required victims to identify the person who had stolen their information before it would turn over the records the statute entitles them to receive.
The FTC also alleged that Amazon lacked any written policy for handling Section 609(e) requests until early 2025, after the company learned of the FTC's investigation, and that this was despite earlier outreach from FTC staff advising Amazon to review its compliance. The proposed order does more than impose the penalty. It prohibits Amazon from failing to comply with Section 609(e) going forward, requires the company to provide the records that identity-theft victims and law enforcement acting on their behalf lawfully request, requires Amazon to tell consumers how to make such requests, and requires the company to contact consumers who requested records since April 2024 but did not receive them, to inform them that additional records may be available.

What the Law Actually Says
The Fair Credit Reporting Act, 15 U.S.C. 1681 and following, is best known for governing consumer credit reports and background checks. Section 609(e), codified at 15 U.S.C. 1681g(e), is a narrower and less familiar provision. It directs that a business that has provided credit to, or entered a transaction with, a person who turns out to be an identity thief must give the actual victim copies of the application and business transaction records in the business's control that relate to the fraudulent transaction. The business must provide those records, at no charge, within 30 days of receiving the victim's written request and sufficient proof of identity.
The provision exists because identity-theft victims often cannot clear their names or build a police report without the underlying paperwork showing what was opened and where goods were shipped. The statute lets a victim get those records directly from the company, rather than depending on the thief or on a creditor's goodwill. The FTC and the Consumer Financial Protection Bureau share authority over the FCRA, and the FTC enforces it against many non-bank businesses. The FCRA is the same federal framework that governs the consumer reports used in hiring and tenant screening, which the site covers in its background check laws resources, including state guides such as California background check laws. This action is a reminder that the FCRA reaches beyond credit reporting into a retailer's duty to hand over fraud records.

Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
The size and target of this action are what make it notable. A $2.25 million penalty against one of the largest retailers in the country, tied to a provision the FTC had enforced only once before, signals that the agency views Section 609(e) as a real obligation rather than a dormant one. The alleged conduct, telling victims that privacy or security rules prevent the company from sharing records about the victim's own fraudulent accounts, is the kind of catch-22 the statute was written to prevent. Requiring a victim to name the thief before releasing records inverts the point of the law, because the records are often how a victim begins to identify the thief in the first place.
For the broader consumer-protection landscape, the action fits a pattern of the FTC using discrete statutory tools to police data practices at large platforms, a theme that also runs through its data-broker enforcement described in the site's coverage of the FTC Mobilewalla order and its work under state and federal breach rules tracked in the data broker registration laws resource. The order's forward-looking terms, especially the duty to re-contact consumers who were turned away since April 2024, matter as much as the penalty, because they convert a one-time fine into an ongoing compliance obligation. We are not predicting how any individual consumer's records request will be handled; the point is that the statutory right is now backed by a public enforcement precedent.
How This Affects You
This section describes general implications, not advice about any specific situation. If you are an identity-theft victim, Section 609(e) generally lets you send a written request to a business where a thief opened an account or made a transaction in your name and ask for the application and transaction records tied to that fraud. The business generally must provide those records within 30 days, at no charge, once you verify your identity and, if the business asks, provide a police report or FTC identity-theft report. Courts and agencies have treated the failure to comply as a violation the FTC can pursue. This does not mean every request will be simple, and businesses may lawfully ask for proof of identity. Anyone dealing with a specific identity-theft dispute or a business that refuses to provide records should consult a lawyer licensed in their jurisdiction or contact the FTC through its identity-theft resources.
What Happens Next
The settlement is a proposed stipulated order that requires approval and entry by the federal court before it binds Amazon. Once entered, the order's terms take effect, including the penalty, the prohibition on future Section 609(e) violations, the consumer-notice requirement, and the duty to re-contact consumers who requested records since April 2024. The FTC typically publishes the complaint and order, and the public docket will reflect the court's action.
More broadly, a second FTC enforcement action under Section 609(e), and the first against a company of Amazon's size, may prompt other large retailers and platforms to review how their customer-service and fraud teams respond to identity-theft record requests. The event that would turn any of this into a contested legal fight is a challenge to the order or future litigation over what records a business must produce; for now, the settlement stands as the FTC's public statement of what Section 609(e) requires.
This is general legal information, not legal advice. It covers a federal enforcement action under the Fair Credit Reporting Act and reflects sources verified on July 1, 2026. Laws change and this matter is developing; consult a lawyer licensed in your jurisdiction about your specific situation.
Sources
- FTC: Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting Act (June 30, 2026) (primary source; ftc.gov)
- Fair Credit Reporting Act, Section 609(e), 15 U.S.C. 1681g(e), Cornell Legal Information Institute (statute text)
- Federal Trade Commission: Fair Credit Reporting Act (legal library) (gov; enforcement authority)
Related articles
- Background Check Laws by State
- California Background Check Laws
- Data Breach Notification Laws (California)
- US Data Broker Registration Laws and the Delete Act
- FTC Finalizes Order Banning Data Broker Mobilewalla
Last updated: 2026-07-01. This is a developing story; details verified as of 2026-07-01.
Frequently Asked Questions
What did the FTC accuse Amazon of doing?
The FTC alleged that Amazon knowingly violated Section 609(e) of the Fair Credit Reporting Act by refusing, for years, to give identity-theft victims the application and transaction records of fraudulent accounts opened in their names, sometimes citing security or privacy and sometimes demanding that victims first identify the thief.
How much is Amazon paying?
Amazon agreed to a $2.25 million civil penalty, which the FTC says is the largest ever under Section 609(e) of the FCRA. The Department of Justice filed the complaint and a proposed stipulated order on the FTC's referral, and the order takes effect once a federal court approves it.
What is Section 609(e) of the Fair Credit Reporting Act?
Section 609(e), codified at 15 U.S.C. 1681g(e), requires a business to give an identity-theft victim, within 30 days of a written request and proof of identity, the application and business transaction records connected to fraud committed in the victim's name, at no charge.
How can an identity-theft victim request fraud records?
A victim generally sends a written request to the business where the fraudulent account or transaction occurred, includes proof of identity, and, if the business requires it, a police report or FTC identity-theft report. The business generally must provide the records within 30 days. This is general information, not legal advice.
Is this the first time the FTC enforced Section 609(e)?
No. According to the FTC, this is the second enforcement action under Section 609(e). The first was a $220,000 action against Kohl's in 2020. The Amazon penalty of $2.25 million is a record for the provision.
Does the Amazon order change the law for other companies?
The order binds Amazon once entered, but it does not amend the statute. Section 609(e) already applies to businesses generally. The action is significant as an enforcement precedent that signals the FTC will pursue companies that deny identity-theft victims their records.
Sources and References
- FTC: Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting Act (June 30, 2026)(ftc.gov).gov
- Fair Credit Reporting Act, Section 609(e), 15 U.S.C. 1681g(e), Cornell Legal Information Institute(law.cornell.edu)
- Federal Trade Commission: Fair Credit Reporting Act (legal library)(ftc.gov).gov