In the fallout stemming from the massive Capital One data breach in July, and Amazon Web Services’ ties to the breach, two U.S. senators are calling for an investigation. In an open letter to the Federal Trade Commission’s Chairman Joseph J. Simons, Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.) assert that Amazon should be held accountable for lax security measures. The alleged Capital One hacker, Seattle software developer Paige Thompson, had previously worked for Amazon Web Services. AWS hosted the Captial One database that was hacked.
The opinion held throughout the open letter is that Amazon should have known that the AWS servers used by Capital One were vulnerable to a server-side request forgery (SSRF) attack. Wyden and Warren state that since competitors like Google and Microsoft patched their servers well before this attack, Amazon has no excuse for what occurred. They state that “Amazon’s failure to secure the servers it rented to Capital One may have violated federal law” and “Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public.”
The senators cited the FTC’s ruling in a 2013 case that involved smartphone manufacturer HTC to bolster their legal claims. In this particular case, the senators assert that “the FTC has made it clear that companies have an obligation to act on third-party reports of cybersecurity vulnerabilities.” This, in fact, true, as the 2013 HTC case saw the FTC charge the company with failing to act on security vulnerability reports and, in turn, be culpable in “an unfair business practice.”
The FTC has yet to act on this open letter, but it is shining even more negative light on Amazon. The company itself, however, will likely brush off the allegations. In a report for Infosecurity Magazine, Phil Muncaster notes that Amazon “has argued in the past that had Capital One not misconfigured its WAF, the SSRF attack would not have been possible.”
This case will be followed closely and any new information will be reported accordingly.