- Capital One reveals In July that a hacker gained access to more than 100 million individuals' records through servers rented from Amazon's cloud-based computing platform, Amazon Web Services.
- Sens. Elizabeth Warren and Ron Wyden write a letter Thursday to the Federal Trade Commission asking it to investigate Amazon's failure to secure the servers.
Sens. Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., wrote a letter to the Federal Trade Commission on Thursday asking it to investigate whether Amazon's failure to secure the servers it rented to Capital One violated federal law.
In July, Capital One revealed that a hacker had gained access to the accounts and credit card applications of more than 100 million customers and prospective customers. Sensitive information, including Social Security numbers and bank account numbers, was compromised.
Capital One rented the hacked servers from Amazon's cloud-based computing platform, Amazon Web Services, or AWS.
"As Amazon acknowledged ... the hacker stole data from Amazon servers rented by Capital One using a hacking technique known as a 'server side request forgery (SSRF) attack,'" the senators wrote in their letter to the FTC. "Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks."
"Amazon's failure to add a similar software protection against SSRF attacks to its [AWS] cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences," the senators wrote.
Capital One declined to comment. A spokesperson from the FTC confirmed the agency received the senators' letter but declined to comment.
An AWS spokesperson told CNBC in a statement Thursday: "The letter's claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained."
Former AWS employee Paige Thompson was arrested after the hack was revealed, and she has been charged with alleged computer fraud and "abuse for an intrusion on the stored data."
It comes as little surprise that one author of the letter is Warren, whose tough words calling for greater regulation of big tech companies have become a hallmark of her presidential campaign.
Correction: This story has been amended to reflect the correct wording of the quotes from the letter sent by Sens. Elizabeth Warren and Ron Wyden to the Federal Trade Commission.