IE 11 is not supported. For an optimal experience visit our site on another browser.

Senators Warren and Wyden urge FTC to investigate Amazon's role in Capital One hack

In July, Capital One revealed that a hacker had gained access to more than 100 million Capital One customers’ accounts and credit card applications.
Image: Sen. Elizabeth Warren, D-Mass., speaks to the crowd at a town hall event in Aiken, S.C., on Aug. 17, 2019.
Sen. Elizabeth Warren, D-Mass., speaks to the crowd at a town hall event in Aiken, S.C., on Aug. 17, 2019.Sean Rayford / Getty Images

Two lawmakers want to know about Amazon’s role in the Capital One hack that exposed data of 100 million customers.

U.S. Democratic Senators Ron Wyden and Elizabeth Warren wrote a letter to the Federal Trade Commission on Thursday asking it to investigate whether Amazon’s failure to secure the servers it rented to Capital One violated federal law.

In July, Capital One revealed that a hacker had gained access to more than 100 million Capital One customers’ accounts and credit card applications. Sensitive information including social security numbers and bank account numbers were compromised.

Capital One rented the hacked servers from Amazon’s cloud-based computing platform AWS.

″...the hacker stole the personal information of 100 million Americans from Capital One using a popular cyberattack technique known as a “server side request forgery” (SSRF),” the Senators write in their letter to the FTC. “Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks.”

Capital One declined to comment. A spokesperson from the FTC confirmed the agency received the letter, but declined to comment. An Amazon spokesperson was not immediately available to comment.

The Senators cite Amazon competitors Google and Microsoft as examples of companies that have secured their cloud-based services against such hacks.

“Amazon’s failure to add a similar software protections SSRF attacks to its AWS cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences,” the Senators write.

Former AWS employee Paige Thompson was arrested after the hack was revealed and she has been charged with alleged computer fraud and “abuse for an intrusion on the stored data.”

“AWS was not compromised in any way and functioned as designed,” Amazon said in a statement to CNBC in July. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. ... This type of vulnerability is not specific to the cloud.”

It comes as little surprise that one author of the letter is Warren, whose tough words calling for greater regulation of big tech companies have become a hallmark of her presidential campaign.