Tech

Sens. Warren and Wyden urge FTC to investigate Amazon's role in Capital One hack

Key Points
  • Capital One reveals In July that a hacker gained access to more than 100 million individuals' records through servers rented from Amazon's cloud-based computing platform, Amazon Web Services.
  • Sens. Elizabeth Warren and Ron Wyden write a letter Thursday to the Federal Trade Commission asking it to investigate Amazon's failure to secure the servers.
Sen. Elizabeth Warren (D-MA) speaks to the media in the spin room following the first night of the Democratic presidential debate on June 26, 2019 in Miami, Florida.
Drew Angerer | Getty Images

Two lawmakers want to know about Amazon's role in the Capital One hack that exposed data of 100 million individuals.

Sens. Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., wrote a letter to the Federal Trade Commission on Thursday asking it to investigate whether Amazon's failure to secure the servers it rented to Capital One violated federal law.

In July, Capital One revealed that a hacker had gained access to the accounts and credit card applications of more than 100 million customers and prospective customers. Sensitive information, including Social Security numbers and bank account numbers, was compromised.

Capital One rented the hacked servers from Amazon's cloud-based computing platform, Amazon Web Services, or AWS.

"As Amazon acknowledged ... the hacker stole data from Amazon servers rented by Capital One using a hacking technique known as a 'server side request forgery (SSRF) attack,'" the senators wrote in their letter to the FTC. "Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks."

The senators cited Amazon competitors Google and Microsoft as examples of companies that have secured their cloud-based services against such hacks.

"Amazon's failure to add a similar software protection against SSRF attacks to its [AWS] cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences," the senators wrote.

Capital One declined to comment. A spokesperson from the FTC confirmed the agency received the senators' letter but declined to comment.

An AWS spokesperson told CNBC in a statement Thursday: "The letter's claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained."

Former AWS employee Paige Thompson was arrested after the hack was revealed, and she has been charged with alleged computer fraud and "abuse for an intrusion on the stored data."

It comes as little surprise that one author of the letter is Warren, whose tough words calling for greater regulation of big tech companies have become a hallmark of her presidential campaign.

Correction: This story has been amended to reflect the correct wording of the quotes from the letter sent by Sens. Elizabeth Warren and Ron Wyden to the Federal Trade Commission.

VIDEO2:0402:04
Here's what we know about the Capital One data breach