Financial

Sens. Warren, Wyden want to know if Amazon shares some blame for the Capital One breach

Capital One had shifted to AWS to modernize its business.

October 24, 2019

(Scoop News Group photo)

Sens. Elizabeth Warren and Ron Wyden are asking federal regulators to investigate whether Amazon’s cloud computing unit made any mistakes that could have led to a breach at Capital One involving the data of more than 100 million people.

Warren, D-Mass., and Wyden, D-Ore., want the Federal Trade Commission to probe whether Amazon Web Services failed to account for a hacking technique known as a “server side request forgery.” Capital One is one of the few major financial companies — if not the only one — to rely on AWS and its public cloud to protect its information, portraying the decision as a move to modernize its business.

“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks,” the senators wrote in the letter, sent Thursday. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to business, government agencies and to the general public.”

A lone suspect, a former AWS software engineer, was charged in July in connection with accessing financial information about some 106 million people from the U.S. and Canada.

In an August letter to Wyden, AWS said it was not aware of data breaches at any other “noteworthy” customers, adding that there “may have been small numbers of these that haven’t been escalated to us.”

In a statement, the company called the senators’ claims “baseless.”

“The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained,” a company spokesperson said.

The letter sent Thursday goes on to say Amazon shares “some” of the responsibility for the breach. AWS has emerged as a key aspect of Amazon’s business, with clients including Netflix, Facebook and others. AWS, along with Microsoft, is one of the two remaining vendors competing for the $10 billion Department of Defense cloud contract known as JEDI.

Before this breach, a cloud security consultant warned Amazon that SSRF requests could be used to steal information from Amazon customers, according to the Wall Street Journal, which first reported the news.

Sens. Warren, Wyden want to know if Amazon shares some blame for the Capital One breach

More Like This

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

SEC’s breach disclosure rule raises concerns about tipping off hackers to flawed systems

With a mysterious surveillance target identified, calls for Congress to change course

Top Stories

‘Large volume’ of data stolen from UN agency after ransomware attack

FBI director warns of China’s preparations for disruptive infrastructure attacks

More Scoops

US financial regulator fines Capital One $80 million over data breach

Judge rules Capital One must hand over Mandiant’s forensic data breach report

Alleged Capital One hacker Paige Thompson to be released before trial

Accused Capital One hacker had as much as 30 terabytes of stolen data, feds say

Accused Capital One hacker pleads not guilty to all charges

Indictment of Capital One suspect alleges breaches of 30 companies, cryptojacking

Amazon Web Services finds no ‘significant issues’ at other companies allegedly breached by Paige Thompson

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics