An outage at Amazon Web Services on Monday, which led to the failure of major websites including Canva, Snapchat and several banks, could cost businesses several billion dollars, experts have warned.
The services of more than 1,000 companies have been affected by the outage, while Downdetector, which tracks outages, has received more than eight million reports from users highlighting problems with accessing websites, apps, games and online banking services. Over one million of the reports have been from the UK.
Companies with services impacted include Amazon, Bank of Scotland, Duolingo, Eventbrite, Flickr, Fortnite, Halifax, HMRC, Lloyds Bank, Perplexity AI, Playstation Network, Pokemon Go, Slack, Square, Whatsapp, Wordle, Xero and Zoom.
At the time of writing, Amazon Web Services said the underlying issue has been fixed but a full recovery will take longer.
When a similar event happened last year at Crowdstrike, home delivery company Parcelhero warned that it cost $5.4 billion in losses for Fortune 500 companies and impacted several companies globally.
David Jinks, the firm’s head of consumer research, said: “Yet again, global e-commerce businesses and services have been reminded how fragile the online ecosystem really is, when so many companies are reliant on a handful of key service providers.
“In a 2024 survey, 76% of global respondents reported that they ran applications on AWS and 48% of developers used its services. Snapchat, Reddit and Lloyds Bank are among the apps and websites impacted by today’s failure. Downdetector reports the AWS outage has affected more than 1,000 companies.
“Even if e-commerce companies and delivery organisations escaped the direct impact of the AWS outage, payments may have failed due to banking problems and other issues.
“With airline systems being reportedly impacted, there could also be global supply chain problems, as much of the world’s airfreight is carried in the bellyhold of passenger airliners. So far, the impact on airlines seems limited to minor delays but, during the Crowdstrike outage, both airports and ports were affected.
“Today’s outage is thought to have occurred initially at Amazon‘s US-EAST-1 region in Virginia, its original and largest web services location. Even though the initial issue that caused the problem was reportedly fixed within hours, the ongoing problems could affect some companies for many more hours if not days, if the Crowdstrike incident’s impact is repeated.”
Other reaction to the AWS outage
Tim Wright, tech partner at law firm Fladgate, said the AWS outage “underscores the growing systemic risk from heavy national and sectoral reliance on a small number of hyperscale cloud providers”.
He added: “Today’s incident highlights the tension between cloud convenience and concentration risk. For regulated entities, especially in financial services, the UK’s Critical Third Parties (CTP) regime — now in force under the Financial Services and Markets Act 2024 and applied through the PRA and FCA’s operational resilience framework — will inevitably come into sharper focus.
“Supervisors may require stress testing and post‑incident audits to ensure that firms maintain visibility and contractual leverage over their cloud dependencies.
“Today’s event is a reminder that resiliency is not purely a technical parameter but a regulatory and contractual one. Firms must reassess their agreements with specific focus on cloud exit, redundancy and incident‑notification contractual clauses through that lens.”
Aras Nazarovas, senior security researcher at Cybernews, said:
“Today’s outage for multiple services was the result of internal DNS failures at Amazon Web Services in their US-EAST-1 region of AWS Cloud. Similar failures have been common causes for major outages in the past, and usually stem from incorrect, updated configurations, or due to poor monitoring of expiration timelines for configurations, certificates, etc.
“From initial reporting there are no indications of any security breach, however failing to keep information or resources available for clients can be classified as a cyber incident, even if there was no malicious outsider or malicious intent.
“Similar outages occur almost every year, and they can be a reminder of how extensive software supply chains have become, showing how a simple issue on a handful of Amazon Data Centers caused thousands of issues to their clients.
“Clients of affected services were impacted by failing to access their resources and data hosted by AWS for ~4hours impact of such a failure to ensure availability can vary greatly depending on the specific business and industry that used impacted AWS services, in worst case scenarios such an outage could have had serious consequences in critical infrastructure sectors.
“In the event of such disruptions users should immediately seek alternative solutions for communication (different app, phone calls, SMS, radio) to be able to coordinate next steps towards recovering from such a disruption. It is a good practice to have a disaster recovery plan where alternative communication channels and other critical steps have been planned in advance.”
Melanie Pizzey, CEO and founder of the Global Payroll Alliance said:
“While the public tends to focus on visible disruptions to shopping, entertainment or communications, the hidden threat lies much deeper, particularly in critical functions like payroll. For example, we’re already seeing reports that Xero, Square, and HMRC are all being impacted by this outage.
“Today, the vast majority of payroll systems are cloud-based, relying on third-party infrastructure for everything from time tracking and data processing to payment distribution. When platforms like AWS go down, there is an immediate risk that salaries will not be calculated correctly, processed on time, or delivered at all.
“In many cases, a delay in payroll, even by a day, can create serious consequences for both employees and employers, including financial hardship, compliance breaches, and loss of trust.
“And let’s consider the fact that this outage appears to be global, rather than confined to one nation, which means employees across the world may now be facing issues with late, missing, or incorrect payment, the knock-on effect of which could be devastating for millions of people.”
Hanna Basha, dispute resolution partner at law firm Payne Hicks Beach, said:
“A timely reminder that it’s not if but when. Today’s digital threats are complex, fast-moving and reputationally devastating. In order to be able to deal with a fast-paced cyber incident, it is important to prepare.
“As today has shown crisis response is dynamic and it is important to remain agile but the more you can do in advance of a cyber incident the better it will be handled. Whether it’s ransomware, AI deepfakes, or coordinated disinformation campaigns, organisations must be ready to respond legally, strategically and ethically.”