Sens. Warren, Wyden want to know if Amazon shares some blame for the Capital One breach
Sens. Elizabeth Warren and Ron Wyden are asking federal regulators to investigate whether Amazon’s cloud computing unit made any mistakes that could have led to a breach at Capital One involving the data of more than 100 million people.
Warren, D-Mass., and Wyden, D-Ore., want the Federal Trade Commission to probe whether Amazon Web Services failed to account for a hacking technique known as a “server side request forgery.” Capital One is one of the few major financial companies — if not the only one — to rely on AWS and its public cloud to protect its information, portraying the decision as a move to modernize its business.
“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks,” the senators wrote in the letter, sent Thursday. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to business, government agencies and to the general public.”
A lone suspect, a former AWS software engineer, was charged in July in connection with accessing financial information about some 106 million people from the U.S. and Canada.
In an August letter to Wyden, AWS said it was not aware of data breaches at any other “noteworthy” customers, adding that there “may have been small numbers of these that haven’t been escalated to us.”
In a statement, the company called the senators’ claims “baseless.”
“The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained,” a company spokesperson said.
The letter sent Thursday goes on to say Amazon shares “some” of the responsibility for the breach. AWS has emerged as a key aspect of Amazon’s business, with clients including Netflix, Facebook and others. AWS, along with Microsoft, is one of the two remaining vendors competing for the $10 billion Department of Defense cloud contract known as JEDI.
Before this breach, a cloud security consultant warned Amazon that SSRF requests could be used to steal information from Amazon customers, according to the Wall Street Journal, which first reported the news.