Amazon Refuses Blame for Capital One Data Breach, Says Its Cloud Services Were 'Not Compromised in Any Way'

Cloud computing giant Amazon has distanced itself from the massive leak of customer data from Capital One, saying clients are responsible for their own applications.

Yesterday, the financial services company confirmed the breach impacted roughly 100 million individuals in the U.S. and approximately six million people in Canada. Data stolen included 140,000 social security numbers of credit card customers and 80,000 bank account numbers.

According to Capital One, the details were stolen in March via a misconfigured firewall. The personal data was related to people who had applied for the company's credit card products.

In the wake of the incident, Amazon has refused any blame for the intrusion, as The New York Times reported. The Jeff Bezos-owned technology giant said in a statement there was no evidence that its cloud computing services had been compromised by hackers.

An Amazon Web Services spokesperson told Newsweek: "AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."

Leaky AWS buckets have been responsible for a stunning amount of unwanted data disclosures in recent years. In July, cybersecurity company UpGuard revealed that an IT contractor called Attunity had a misconfigured server which exposed customer data from a number of other firms, including Netflix and Ford. In 2017, files were leaked from an unsecured database that exposed data of nearly 200 million U.S. voters.

Amazon has always stressed that AWS provides its clients with full "ownership and control" of how they store—and protect—personal or sensitive information. It claims to offer "sophisticated technical and physical controls" that are designed to help combat any unauthorized access.

"As a customer, you maintain full control of your content and responsibility for configuring access to AWS services and resources," Amazon says on its website about the cloud service, adding a single key line that absolves it of leak-blame: "You choose how your content is secured."

Indeed, in many cases AWS data exposures are not the result of technical hacking tricks. In the Attunity case, for example, the files were public and visible in plain text, Bloomberg noted. In the 2017 election leak, cyber researchers said the files were not protected by a password.

The FBI has arrested a 33-year-old suspect, Paige A. Thompson, in relation to the Capital One incident, noting she used the name "erratic" online.

A criminal complaint said Thompson, who formerly worked at Amazon, had threatened to distribute data obtained from the bank. The suspect allegedly wrote during a Slack conversation in June: "I've basically strapped myself with a bomb vest, fucking dropping capital ones dox and admitting it. I wanna distribute those buckets I think first." She said files contained social security numbers, full names and dates of birth.

Thompson has been charged with one count of computer fraud and abuse. According to the Department of Justice (DoJ), the fraud is punishable by up to five years in prison and a $250,000 fine. Thompson's hearing will take place August 1.

Officials said leaked Capital One data was initially uploaded to a code repository website known as GitHub, prompting an individual to bring it to administrators' attention on July 17.

Federal agents searched the suspect's Seattle home yesterday and claimed to have seized digital storage devices, including one that contained a copy of the exfiltrated bank data. The complaint said Thompson "recognizes that she has acted illegally."

Richard Fairbank, CEO of Capital One, said: "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Capital One
People walk past a branch of the Capital One Bank on April 17, 2019 in New York City. The firm suffered a major cyber-intrusion earlier this year, it has confirmed. JOHANNES EISELE/AFP/Getty