U.S. Democratic Senators Ron Wyden and Elizabeth Warren wrote a letter to the Federal Trade Commission on Thursday asking it to investigate whether Amazon’s failure to secure the servers it rented to Capital One violated federal law.
In July, Capital One revealed that a hacker had gained access to more than 100 million Capital One customers’ accounts and credit card applications. Sensitive information including social security numbers and bank account numbers were compromised.
Capital One rented the hacked servers from Amazon’s cloud-based computing platform AWS.
″...the hacker stole the personal information of 100 million Americans from Capital One using a popular cyberattack technique known as a “server side request forgery” (SSRF),” the Senators write in their letter to the FTC. “Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks.”
Capital One declined to comment. A spokesperson from the FTC confirmed the agency received the letter, but declined to comment. An Amazon spokesperson was not immediately available to comment.
“Amazon’s failure to add a similar software protections SSRF attacks to its AWS cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences,” the Senators write.
Former AWS employee Paige Thompson was arrested after the hack was revealed and she has been charged with alleged computer fraud and “abuse for an intrusion on the stored data.”
“AWS was not compromised in any way and functioned as designed,” Amazon said in a statement to CNBC in July. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. ... This type of vulnerability is not specific to the cloud.”
It comes as little surprise that one author of the letter is Warren, whose tough words calling for greater regulation of big tech companies have become a hallmark of her presidential campaign.