Two Democrats in the Senate are asking the Federal Trade Commission to investigate Amazon’s involvement in the Capital One data breach that affected more than 100 million people this past July.
Senators Ron Wyden, of Oregon, and Elizabeth Warren, of Massachusetts, sent a letter to the FTC on Thursday, calling for an investigation into whether Amazon’s “failure to secure its services” violates a federal law prohibiting unfair business practices. The letter says that Amazon knew about a security vulnerability that a hacker used to gain access to the personal data of millions of people who applied for a Capital One credit card in recent years.
In July, a Seattle software engineer was arrested for allegedly hacking into Capital One databases in one of the largest breaches of a major financial service in history.
A majority of the compromised information came from credit card application data submitted between 2005 and 2019 that included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. The breach also exposed approximately 140,000 Social Security numbers and 80,000 bank account numbers, according to Capital One.
Paige Thompson, the alleged hacker, is a Seattle-based software engineer who previously worked for Amazon Web Services, the tech giant’s cloud computing arm. Thompson pleaded not guilty to federal charges of wire and computer fraud in August. She is awaiting trial.
The hacker used a method known as a “server-side request forgery,” or SSRF attack to gain access to Capital One data hosted by a cloud services provider, according to the charges. That provider is not named in the charges against Thompson but Capital One is a customer of Amazon. Capital One customers named Amazon Web Services as the cloud provider in a separate lawsuit.
“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks,” the letter from Wyden and Warren says. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
Update: An Amazon spokesperson called the claims “baseless and a publicity attempt from opportunistic politicians.”
“As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall,” he said. “The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.”
Amazon knew the servers they rented to Capital One were vulnerable to hacking, and 100 million Americans paid the price. It is unconscionable that in 2019, companies won’t take the necessary steps to secure Americans’ personal data. https://t.co/8JxhUa1bFn
— Ron Wyden (@RonWyden) October 24, 2019
The FTC is already investigating Amazon and other big tech companies to find out whether they have used their dominance to stifle competition.
Warren and Wyden are frequent critics of Big Tech. Warren has made breaking up dominant players in the industry part of her campaign platform in her quest for the White House in 2020.