Home Tech U.S. lawmakers eye AWS role in Capital One data breach

U.S. lawmakers eye AWS role in Capital One data breach

In the fallout stemming from the massive Capital One data breach in July, and Amazon Web Services’ ties to the breach, two U.S. senators are calling for an investigation. In an open letter to the Federal Trade Commission’s Chairman Joseph J. Simons, Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.) assert that Amazon should be held accountable for lax security measures. The alleged Capital One hacker, Seattle software developer Paige Thompson, had previously worked for Amazon Web Services. AWS hosted the Captial One database that was hacked.

The opinion held throughout the open letter is that Amazon should have known that the AWS servers used by Capital One were vulnerable to a server-side request forgery (SSRF) attack. Wyden and Warren state that since competitors like Google and Microsoft patched their servers well before this attack, Amazon has no excuse for what occurred. They state that “Amazon’s failure to secure the servers it rented to Capital One may have violated federal law” and “Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public.”

The senators cited the FTC’s ruling in a 2013 case that involved smartphone manufacturer HTC to bolster their legal claims. In this particular case, the senators assert that “the FTC has made it clear that companies have an obligation to act on third-party reports of cybersecurity vulnerabilities.” This, in fact, true, as the 2013 HTC case saw the FTC charge the company with failing to act on security vulnerability reports and, in turn, be culpable in “an unfair business practice.”

The FTC has yet to act on this open letter, but it is shining even more negative light on Amazon. The company itself, however, will likely brush off the allegations. In a report for Infosecurity Magazine, Phil Muncaster notes that Amazon “has argued in the past that had Capital One not misconfigured its WAF, the SSRF attack would not have been possible.”

This case will be followed closely and any new information will be reported accordingly.

Latest articles

South African Airways, unions meet for talks amid damaging strike

JOHANNESBURG (PR News Corp) - South African Airways (SAA) and unions on Saturday met for talks the troubled state-run carrier hopes can bring an...

The Sony a7R IV is the best camera for landscape photographers

<!-- {OSPHeroImage} {/OSPHeroImage} {OSPIntroText} Landscape shooters have a unique set of requirements for their gear. On the image quality side of things, a good landscape camera should offer...

Microsoft Intune gets a new streamlined user experience

Microsoft recently began rolling out a refreshed and streamlined administration experience for Microsoft Intune. These features, which are now generally available, were determined based...

Southeast Asia: Final Fantasy VII and VIII Remastered Twin Pack coming 29th November

Square Enix has announced exactly when collectors and gamers who reside in Southeast Asia can pick up the exclusive Final Fantasy VII and VIII...