Democratic senators Ron Wyden and Elizabeth Warren have written a request to Federal Trade Commission this week asking for details about role of Amazon in hack of Capital One that exposed data of 100 million customers. They want it to investigate if Amazon’s inability to secure servers rented out to Capital One violated federal laws. During July this year Capital One has revealed that a hacker had gained access to its database and stolen information related to accounts and credit cards of more than 100 million customers.
The breach also compromised sensitive information like social security numbers and bank account details. The servers had been rented by Capital One from Amazon’s cloud computing services division AWS. The hackers had apparently used a technique called server side request forgery which the senators feel was a dereliction of duty by Amazon as they should have known that their cloud services are vulnerable to SSRF attacks.
The senators cited competitors of Amazon like Microsoft and Google that are providing similar services but have managed to secure their clouds from such attacks. They stated that failure of Amazon to add similar security software to their products against SSRF has been the subject of public discussion among experts for several years now and also during industry conferences. A former employee of AWS Paige Thompson was arrested within a short duration after the hack was discovered as it was revealed that she was responsible for computer fraud and abusing the intrusion into stored data.
After the arrest Amazon issued a statement that AWS was not compromised and the perpetrator was able to break in by misconfiguration of web application and not by breaking into cloud based infrastructure. They affirmed that the type of vulnerability exploited by the hacker is not specific to the cloud. Senator Warren’s strong standing for greater regulation on big technology firms has become a hallmark of her ongoing presidential campaign.