FTC urged to investigate Amazon over Capital One breach
Image credit: Dreamstime
Two Democratic Senators have written to the Federal Trade Commission (FTC) to request that it investigates whether Amazon could be held partially responsible for the Capital One hack.
In July, Capital One confirmed that a hacker had accessed the personal data of more than 100 million customers who had applied for credit cards between 2005 and 2019. The data included real names, addresses, credit scores, incomes, social security numbers, bank details, phone numbers and some payment history
In July, a former Amazon Web Services (AWS) engineer was arrested by the FBI on charges of computer fraud and abuse after boasting about the attacks on Twitter, Slack, and GitHub. According to the FBI, the suspect specialised in cloud storage systems while working at Amazon, and later used her knowledge to break into 700 AWS cloud storage buckets belonging to Capital One – via a technique known as 'server side request forgery' (SSRF) – and download their contents.
Now, Democratic presidential frontrunner Senator Elizabeth Warren and Senator Ron Wyden – who has also been recognised for his attempts to rein-in big tech – have written a joint letter to the Federal Trade Commission calling on the watchdog to investigate whether Amazon’s failure to secure the servers it provided to Capital One could constitute a violation of federal law.
“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks,” they wrote. They commented that Google and Microsoft had secured their cloud services against this type of cyberattack.
“Amazon’s failure to add a similar software protection against SSRF attacks to its AWS cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences.”
An AWS spokesperson told CNBC that: “The letter’s claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.”
Last week, Wyden introduced a strict privacy bill (the ‘Mind Your Own Business Act’) to the US Senate. The legislation, which has little chance of being passed into law in its initial form, aims to give the FTC the power to issue massive first-time fines of four per cent of annual revenue when tech companies violate their users’ privacy and to jail senior tech executives for lying to the government about their practices. Meanwhile, Warren has thrown down the gauntlet to her fellow Democratic presidential hopefuls with a detailed set of policy proposals, including plans to break up tech giants to prevent anti-competitive behaviour.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.