Sens. Elizabeth Warren and Ron Wyden are asking the Federal Trade Commission to investigate Amazon over the Capital One breach, in which a hacker allegedly stole data from more than 100 million credit card applications earlier this year.
The breach, disclosed in July, happened because of a misconfigured firewall on Amazon Web Services (AWS) cloud server, according to the Department of Justice. The alleged hacker, Paige Thompson, was an employee at AWS from 2015 to 2016 as a systems engineer. Amazon said she left the company three years before the hack took place. Thompson has been charged with computer fraud and abuse.
Now two Democratic lawmakers want the FTC to determine whether Amazon failed to properly secure the servers that it rented out to Capital One. When database breaches happen, it's often the host -- in this case, Capital One -- that's blamed for failing to secure the data, rather than the cloud service provider.
With this request to the FTC, Wyden of Oregon and Warren of Massachusetts are pointing a finger at Amazon.
"The letter's claim is baseless and a publicity attempt from opportunistic politicians," an AWS spokesperson said in a statement. "As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall."
In a letter to Wyden in August, Amazon said that Thompson hacked into Capital One's servers using a "Server-Side Request Forgery" (SSRF) vulnerability. This can happen when the attacker makes requests to a vulnerable third-party server rather than the protected cloud server itself. It's a popular way to to steal data from cloud servers.
Wyden and Warren said Amazon knew about this issue since 2018, when a security researcher urged Amazon to provide protections for it. Google has been providing protections against SSRF attacks since 2013, and Microsoft started protecting against them in 2017.
"Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks," the senators wrote in their letter. "Although Amazon's competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers."
You can read the full letter here:
Originally published at 7:18 a.m. PT.
Update, 10:24 a.m.: Adds response from Amazon.