Capital One Breach- Senators penned a letter to the FTC urging it to investigate whether Amazon is to blame for the massive Capital One data breach disclosed earlier this year.
Amazon is at least partly blame for the massive 2019 Capital One breach that impacted more than 100 million customers, senators are alleging. Security researchers however are of two minds.
In a letter to the Federal Trade Commission (FTC) this week, U.S. senators Ron Wyden (D-Ore.) and Elizabeth Warren (D-Mass.) called for the investigation of Amazon’s role in the Capital One data breach, where a hacker accessed data that was hosted on servers on Amazon’s cloud-based computing platform, Amazon Web Services (AWS).
“Amazon knew, or should have known, that AWS was vulnerable to server-side request forgery [SSRF] attacks,” the senators wrote on Thursday. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
SSRF is a type of server attack where servers can be tricked into connecting to another server it did not intend to. SSRF flaws occur when an online application requires outside resources enabling an attacker to send crafted requests from the back-end server of a vulnerable web application.
In the case of the 2019 breach, a misconfigured web application firewall, which was hosted on the AWS cloud platform, enabled a hacker to launch the SSRF attack and access credit applications, Social Security numbers and bank account numbers between March 19 and July 17. The illegally accessed data was primarily related to credit-card applications made between 2005 and early 2019, by both consumers and businesses. These include a raft of personal information, such as names, addresses and dates of birth; and financial information, including self-reported income and credit scores.