Elizabeth Warren Calls for Amazon to be Investigated over Capital One Hack

Elizabeth Warren has pushed for the Federal Trade Commission to investigate whether Amazon broke federal law over the Capital One hack, accusing the retail giant of a "failure to secure the servers" it rented to the bank.

In a joint letter sent on Thursday by the Senator of Massachusetts and her colleague Sen. Ron Wyden, the Democrats claimed Amazon knew its servers were "vulnerable" to the attack that affected Capital One earlier this year "since mid-2018 at the latest."

The senators also accused Amazon Web Services, the company's cloud computing arm, of selling "defective cloud computing services" to government bodies, businesses and the general public.

Capital One revealed that the financial and personal data of more than 100 million customers had been compromised as a result of the hack. The data breach included the compromise of 140,000 customer social security numbers and 80,000 bank account numbers.

The contact information, birth dates, names and addresses of the bank's users were also caught up in the hack resulting from a misconfigured firewall.

Amazon Web Services was pulled into the fiasco when it was claimed that the accused hacker Paige Thompson, a 33-year-old former employee, had allegedly create a scan for AWS customers with the firewall misconfiguration, according to Wired.

The letter sent by Warren and Wyder on Thursday opened by urging the FTC to investigate whether Amazon "violated federal law" by failing to secure servers it rented to Capital One.

Elizabeth Warren 2020 wealth tax billionaires
Democratic presidential candidate Sen. Elizabeth Warren (D-MA) visits with striking Chicago teachers at Oscar DePriest Elementary School on October 22, 2019 in Chicago, Illinois. Scott Olson/Getty Images

"Amazon knew, or should have known, that AWS was vulnerable to SSRF [server-side request forgery] attacks. Although Amazon's competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public," the senators wrote.

"As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers."

Server-side request forgery exploits involve an attacker forcing another organisation's server to perform a task for them, according to Infosec.

The letter then specifically requested that the FTC investigate "whether Amazon's failure to secure its services" amounted to unfair business practice in breach of Section 5 of the FTC Act.

Under that section of the act, businesses are prohibited from using "unfair methods of competition" and "unfair or deceptive acts or practices," Thomson Reuters Practical Law says.

Newsweek has contacted Amazon for a response to the letter, but did not receive a reply by time of publication. The FTC confirmed it had received the letter but offered no additional comment.

A Capital One spokesperson said the company declined to comment on the letter.

Amazon Web Service has previously dismissed any attempts to place blame on its end. A spokesperson told Newsweek in June that AWS was "not compromised in any way" and later added: "The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure."

Responding to questions sent to Jeff Bezos in a letter from Wyden earlier this year, Amazon said an SSRF attack was used by the alleged hacker to get past "a misconfiguration error at the application layer of a firewall installed by Capital One."

The company also told the senator that it had "reached out" to other customers the alleged hacker claimed to have successfully attack and "offered to help them assess and secure their data."

Another investigation into the Capital One personal data breach was launched by a law firm planning to bring a class-action lawsuit against the company in August.