A U.S. senator from Oregon wants Amazon to explain the role it played in a hack that exposed sensitive data from more than 100 million Capital One credit card applicants.
Sen. Ron Wyden sent a letter to Amazon CEO Jeff Bezos on Tuesday asking about the nature of the hack and whether vulnerabilities in the company’s cloud services had anything to do with it.
Last week, Seattle-based engineer Paige Thompson was arrested for allegedly hacking Capital One’s databases. The complaint against Thompson does not name Capital One’s cloud provider, but the company is an Amazon Web Services customer. Thompson used to work as a systems engineer for Amazon from 2015 to 2016, according to her online resume.
According to the complaint, Thompson hacked into a misconfigured web application firewall. Although proper configuration is up to cloud customers, Wyden wants to find out if it is a vulnerability that regularly leaves Amazon Web Services clients exposed.
“When a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices,” Wyden’s letter says. “However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.”
Amazon could not immediately be reached to comment. In a statement to the Wall Street Journal over the weekend, Amazon said none of its services were the underlying cause of the hack. The company noted that it offers tools to help customers monitor for these types of breaches.
Capital One previously said that “this type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.”
Wyden’s questions for Bezos center on a type of hack in which a hacker exploits a Server-Side Request Forgery vulnerability. In those cases, hackers target internal systems that are protected by firewalls.
Specifically, Wyden wants to know:
- If Thompson exploited a Server-Side Request Forgery vulnerability to carry out the Capital One theft
- How many customers were compromised through that type of attack over the past two years
- What steps Amazon has taken to educate its customers about the threat of Server-Side Request Forgery attacks
The letter also asks for more information about a tweet sent by a security software engineer at Netflix in July. The engineer allegedly asked Amazon to provide extra protection from Server-Side Request Forgery attacks and did not receive a “satisfactory response.” The tweet has since been deleted.
Netflix asked the engineer to remove the tweet because it does not reflect the company’s attitude toward Amazon, according to The Wall Street Journal, which first reported on Wyden’s letter.
Both Netflix and Capital One are listed on the Amazon Web Services website as customer success stories. Amazon says its cloud services have more than a million active customers.
The Wall Street Journal also published a deep dive over the weekend that details how Thompson allegedly pulled off the massive data theft. Thompson is scheduled to appear in court in Seattle on Aug. 15.
The Capital One breach could cast a shadow over Amazon’s efforts to win a highly-sought-after contract to build the Pentagon’s cloud. Microsoft and Amazon are the final contenders for the Joint Enterprise Defense Infrastructure project. The winner will be tasked with overhauling the Defense Department’s technology infrastructure and building a system that allows different branches of the military to share sensitive information in the cloud.
In his letter, Wyden suggests that Amazon Web Services could be “the common element in a series of high-profile hacks targeting large corporations.”
“It would raise serious questions about whether other corporations and government entities that use Amazon’s cloud computing products are also vulnerable,” Wyden said.
Wyden asked Bezos to respond to his questions by Aug. 13.
Editor’s note: This story has been updated to clarify that the hacker accessed information from 100 million Capital One credit card applicants.