Elizabeth Warren is urging the FTC to investigate Amazon over concerns that it played a role in the massive Capital One data breach that affected 100 million people

  • US Sen­a­tors Ron Wyden and Eliz­a­beth War­ren are urg­ing the Fed­er­al Trade Com­mis­sion to inves­ti­gate over con­cerns that it could have played a role in the mas­sive Cap­i­tal One data breach in July.
  • Cap­i­tal One stored cus­tomer data on Ama­zon Web Ser­vices, the e‑commerce giant’s pop­u­lar cloud ser­vice.
  • The sen­a­tors wrote that Ama­zon does not imple­ment the same of secu­ri­ty against the type of attack the sus­pect­ed hack­er used to obtain the data com­pared to com­pa­nies like Google and Microsoft.
  • Wyden pre­vi­ous­ly wrote to Ama­zon CEO Jeff Bezos in August request­ing more infor­ma­tion about Ama­zon’s rela­tion­ship to the attack.
  • It’s unclear, how­ev­er, if Ama­zon holds any blame since the attack was exe­cut­ed by exploit­ing a fire­wall mis­con­fig­u­ra­tion — not because of a direct breach of Ama­zon’s cloud ser­vice.
  • Vis­it Insid­er’s home­page for more

Unit­ed States sen­a­tors Ron Wyden (D‑Oregon) and Eliz­a­beth War­ren (D‑Massachussetts) are urg­ing the Fed­er­al Trade Com­mis­sion to inves­ti­gate Ama­zon over the mas­sive Cap­i­tal One data breach that impact­ed more than 100 mil­lion peo­ple.

In July, it was dis­cov­ered that a hack­er obtained sen­si­tive Cap­i­tal One cus­tomer data that was stored on Ama­zon Web Ser­vices, the e‑commerce giant’s pop­u­lar cloud ser­vice. The inci­dent impact­ed approx­i­mate­ly 100 mil­lion peo­ple in the Unit­ed States and six mil­lion in Cana­da, Cap­i­tal One said at the time. The sus­pect­ed hack­er, for­mer Ama­zon Paige A. Thomp­son, alleged­ly accessed the infor­ma­tion by advan­tage of a fire­wall mis­con­fig­u­ra­tion in Cap­i­tal One’s cloud infra­struc­ture. 

Now, Wyden and War­ren are press­ing the FTC to inves­ti­gate Ama­zon over whether or not what the sen­a­tors called a “fail­ure to secure the servers it rent­ed to Cap­i­tal One” be in vio­la­tion of fed­er­al law.

In a let­ter addressed to J. Simons, chair­man of the FTC, Wyden and War­ren accuse Ama­zon of not imple­ment­ing the same lev­el of pro­tec­tion against the type of attack that the sus­pect­ed hack­er used to obtain the data — known as a serv­er side request forgery (SSRF) attack — as oth­er tech firms like Microsoft and Google.

The sen­a­tors also write that Ama­zon knew that its servers were vul­ner­a­ble to SSRF attacks since August 2018, when a cyber­se­cu­ri­ty researcher con­tact­ed the com­pa­ny.

“Ama­zon knew, or should have known, that AWS was vul­ner­a­ble to SSRF attacks,” the let­ter reads. “Although Ama­zon’s com­peti­tors addressed the threat of SSRF attacks sev­er­al years ago, Ama­zon con­tin­ues to sell defec­tive cloud com­put­ing ser­vices to busi­ness­es, gov­ern­ment agen­cies, and to the gen­er­al pub­lic. As such, Ama­zon some respon­si­bil­i­ty for the theft of data on 100 mil­lion Cap­i­tal One cus­tomers.” 

An Ama­zon Web Ser­vices spokesper­son called the let­ter’s claims “base­less” in a state­ment to Busi­ness Insid­er, say­ing that the attack­er tar­get­ed a mis­con­fig­u­ra­tion of Cap­i­tal One’s fire­wall. See below for the com­pa­ny’s full com­ment.

“The let­ter’s claim is base­less and a pub­lic­i­ty attempt from oppor­tunis­tic politi­cians. As Cap­i­tal One has explained, the per­pe­tra­tor attacked a mis­con­fig­u­ra­tion at the lay­er of a Cap­i­tal One fire­wall. The SSRF tech­nique used in this inci­dent was just one of many sub­se­quent steps the per­pe­tra­tor fol­lowed gain­ing access to the com­pa­ny’s sys­tems, and could have been sub­sti­tut­ed for a num­ber of oth­er meth­ods giv­en the lev­el of access already gained.”

The FTC con­firmed to Busi­ness Insid­er that it received the let­ter, but declined to com­ment fur­ther. 

Ameesh Diva­tia, CEO and co-founder of data pro­tec­tion firm Baf­fle, also said that the blame should not rest with Ama­zon.

“Step one in terms of mit­i­gat­ing these issues is [to] get out of this false sense of secu­ri­ty that cloud users have, that Ama­zon will take care of it,” Diva­tia said to Busi­ness Insid­er back in July.

Wyden pre­vi­ous­ly wrote to Ama­zon CEO Jeff Bezos seek­ing more infor­ma­tion about the com­pa­ny’s poten­tial role in the inci­dent.

This new let­ter comes as tech firms like Ama­zon have come under increased scruti­ny over con­cerns relat­ing to con­sumer pri­va­cy and poten­tial­ly anti­com­pet­i­tive busi­ness prac­tices. The FTC is said to have begun an inves­ti­ga­tion to deter­mine whether Ama­zon is using its size and reach to ham­per com­pe­ti­tion in Sep­tem­ber, accord­ing to Bloomberg.

War­ren and Wyden have also been vocal crit­ics of tech indus­try giants like Ama­zon. Back in March, War­ren pro­posed a plan to break up large tech firms like Apple, Ama­zon, Google, and Face­book, while Wyden recent­ly intro­duced a bill crack­ing down on tech firms and exec­u­tives that vio­late user pri­va­cy. 

Read More

Leave a Comment