A group of angry customers filed a lawsuit against Capital One this week following the hack that affected more than 106 million people. And they aren’t stopping there; the group also named Amazon Web Services, Capital One’s cloud provider, alleging the tech giant is also culpable for the breach.
The hack has led to multiple lawsuits and become another flashpoint in the debate over privacy and security. In the wake of this attack, questions have arisen about whether the technology providers that power companies such as Capital One should also be held responsible. A similar lawsuit, filed last week in California, brought GitHub into the fray, arguing that the code repository failed to monitor and respond to hacked data on its website.
The new lawsuit, filed this week in federal court in Seattle, is unique because it includes Amazon as a defendant. It argues that Amazon knew about a vulnerability allegedly exploited by the hacker, Seattle-based engineer Paige Thompson, to pull off the attack and “did nothing to fix it.” The alleged attacker, a former AWS employee, hacked into a misconfigured web application firewall.
“The single-line command that exposes AWS credentials on any EC2 system is known by AWS and is in fact included in their online documentation,” according to the complaint. “It is also well known among hackers.”
We’ve reached out to Amazon and Capital One and we will update this post if we hear back.
The suit alleges the companies did not disclose the breach when they learned of it. The hack took place on March 22 and 23, according to Capital One. But the company wasn’t notified until July 17 after a GitHub user, referred to as an ethical security researcher, flagged a post on the code site from Thompson talking about the theft. Two days later, on July 19, the FBI was notified.
The proposed class action suit, which includes plaintiffs from eight states and a nonprofit in Kentucky, alleges that the two companies were negligent and violated Washington state’s Consumer Protection Act and Data Breach Disclosure Law.
Mark Bartholomew, a cyber law professor at the University at Buffalo’s School of Law, told Yahoo Finance that Capital One’s quick response, along with reports that Thompson didn’t do anything nefarious with the information obtained in the hack, could hurt the various lawsuits filed against the companies.
Bartholomew also said infrastructure providers like Amazon don’t typically face liability in cases like this, adding that Amazon and Capital One likely had an agreement assigning liability to the bank in the event of a breach.
Earlier this week U.S. Sen. Ron Wyden of Oregon sent a letter to Amazon CEO Jeff Bezos about the nature of the hack and whether vulnerabilities in the company’s cloud services had anything to do with it. Although proper configuration is up to cloud customers, Wyden wants to find out if it is a vulnerability that regularly leaves Amazon Web Services clients exposed.
“When a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices,” Wyden’s letter says. “However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.”
Capital One previously said that “this type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.”
Thompson is charged with hacking into Capital One’s databases and gaining access to approximately 140,000 Social Security numbers and 80,000 bank account numbers. Thompson was arrested last month for the hack, which was one of the largest breaches of a major financial service, impacting 100 million people in the U.S. and 6 million people in Canada.
A majority of the compromised information came from credit card application data submitted between 2005 and 2019 that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Credit score information, payment history, transaction data, contact information, and more were also obtained.
Capital One said at the time of the disclosure that it is “unlikely that the information was used for fraud or disseminated by this individual.” No credit card account numbers or log-in credentials were compromised. The incident will cost the company $100-to-$150 million this year to cover customer notifications, credit monitoring, technology costs, and legal support.
The Wall Street Journal noted that Thompson got into Amazon’s metadata service, which holds important credentials. Thompson then looked for vulnerable computers to gain access to a company’s internal networks — knocking on “front doors to hunt for ones that were unlocked,” per WSJ — and came across the Capital One misconfiguration.
The lawsuit cites a Forbes article looking into whether Thompson exploited the AWS vulnerability to hack other organizations, including Michigan State University, the Ohio Department of Transportation, Italian bank UniCredit SpA and Ford.
Here’s the full suit: