Sens. Ron Wyden (D-Ore.) and Elizabeth Warren (D- Mass.) have asked the Federal Trade Commission (FTC) to investigate Amazon.com, Inc. to see if the company failed to secure its servers before Capital One was hacked earlier this year. The investigation will determine if Amazon broke federal law.
“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers,” Wyden and Warren wrote.
According to Capital One, sensitive information of about 100 million people in the US and an additional 6 million in Canada were affected by the breach in Amazon’s cloud-computing system. Unlike other hacks, there is only one suspect for this case: Paige A. Thompson, also known as ‘erratic’. She was arrested by the FBI in July and charged with computer fraud and abuse. The suspect, a 33-year-old former Amazon employee, was able to hack users through a ‘misconfigured web application firewall.’ Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.
In July, Capital One announced the security breach. The complaint (United States of America v. Paige A. Thompson, a/k/a ‘erratic’) states Thompson hacked Capital One sometime between March and July 2019. Thompson hacked into servers rented or contracted by Capital One, a financial corporation, from a cloud computing service provider, Amazon Web Services. Paige A. Thompson is linked to the security breach because the information from the breach was posted on GitHub and the digital address includes her full name in it, and links to her. Capital One indicates that the IP address used by the hacker is controlled by a virtual private network service provider, which was used by Thompson to post on GitHub. On social media, Thompson also indicated that she had information from Capital One, and that she acted in an illegal manner. After reviewing the files, Capital One determined that there was a security breach, it was a firewall misconfiguration that allowed Thompson to access data secured on storage space at Amazon Web Services.
In August, Sen. Wyden wrote to Amazon CEO Jeff Bezos to understand how default configuration settings could have led to the security and data breaches. Amazon responded to the letter detailing, among other things, security guidance that Amazon provides to its customers. Sen. Warren also wrote to Amazon following the breach with concerns about its public impact.
The suit could have far reaching impacts to the financial sector. Amazon Web Services is one of the few cloud providers that the financial industry uses. CNBC reported, “Regulators have been asking for years whether banks’ use of a narrow set cloud providers creates a systemic risk to the financial system…Now the theory will be tested.” The 2010 Dodd-Frank Act categorized certain institutions as ‘systemically important’, these institutions receive enhanced capital and cybersecurity oversight. Many of these institutions are banks or related institutions. Another category, also heavily regulated is ‘Systemically Important Financial Market Utilities’ (SIMFU) because these institutions help the financial industry. There are eight companies in this category. Regulators have considered adding cloud service providers to the list. In August, Reps. Nydia Velazquez (D-N.Y.) and Katie Porter (D-Calif.), suggested to the Financial Stability Oversight Council to add cloud service providers to the SIFMU list. They asked the council, “to consider designating Amazon Web Services, Microsoft Azure and Google Cloud as SIFMUs under the Title VIII of the Dodd-Frank Act.”
As reported by CNBC, “[a]n Amazon spokesperson criticized Warren’s letter, written with Sen. Ron Wyden, D-Ore., for conflating the client and host in this way, saying via email: ‘The letter’s claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.’”