Amazon tells senators it isn't to blame for Capital One breach

Sens. Elizabeth Warren and Ron Wyden have called for an investigation of Amazon, which hosted a cloud server used by the banking giant.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

In a letter to senators, Amazon said it wasn't negligible in the Capital One breach.

Ben Fox Rubin/CNET

Amazon is pushing back against two lawmakers who've called out the company over security concerns after a hacker broke into a cloud server it hosted and stole millions of people's data from Capital One.

Disclosed in July, the Capital One breach allegedly involved a former Amazon Web Services (AWS) systems engineer, who, according to the Department of Justice, took advantage of the banking giant's misconfigured firewall. 

In October, Sens. Elizabeth Warren and Ron Wyden called on the Federal Trade Commission to investigate whether Amazon was negligent in protecting the server it rented to Capital One. 

In a letter sent to the two senators Wednesday, AWS' chief information security officer, Steve Schmidt, defended the tech giant, arguing that the breach happened because of an issue with Capital One, not any security vulnerabilities from Amazon. 

"As we made clear in our letter of August 13, 2019, 'the attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended,'" Schmidt said. 

Amazon and Capital One didn't respond to requests for comment. 

Schmidt also said Amazon took action in May to improve AWS security, about two months after the breach occurred. 

"After years of leaving cloud customers' data vulnerable, Amazon appears to have finally taken this important step to improve the security of their servers," Warren and Wyden said in a statement. 

The two senators called on Congress to "continue to conduct oversight of powerful corporations that hold vast amounts of Americans' most sensitive information."

Amazon's response letter sent on Wednesday denied that the hack happened because of a vulnerability known to Amazon, even though the company noted in an Aug. 13 letter to Wyden that it believed the alleged hacker used that flaw.

Schmidt backtracked on Amazon's response from August, telling the senators that the company later learned that the alleged hacker didn't use a "Server-Side Request Forgery" (SSRF) attack to steal data from Capital One.

The flaw is a popular hacking technique for stealing cloud data, where attackers make requests to a vulnerable third-party connected server rather than the protected cloud server itself.

In their October letter to the FTC, Warren and Wyden said Amazon had known about this vulnerability since 2018, and had failed to provide protections against it like Google and Microsoft have. 

The AWS executive argued that those protections from Amazon's competitors wouldn't have mattered.

"Based on what we have been told of the incident by our customer and the FBI, the mitigation used by other providers would not have prevented the attacker from stealing credentials," Schmidt wrote.

He said that since Amazon's update in May, AWS now has protections beyond what its cloud-hosting rivals provide, and that the protections are enabled by default. 

"We have a very broad customer base, and for the last 13 years, we have encountered lots of varying and evolving threats from bad actors," Schmidt said. "As such, we view it as core to our mission to keep innovating and building security capabilities to enable customers to monitor and protect their resources."

You can read the full letter here: