Wyden and Warren to FTC: Investigate Amazon’s Negligence in Capital One Hack

Last week, Senators Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass. urged the Federal Trade Commission (FTC) to investigate and determine if Amazon’s failure to secure the servers it rented to Capital One violated federal law.

In July 2019, a hacker stole the personal information of 100 million Americans from Capital One using a popular cyberattack technique known as a “server side request forgery” (SSRF). Capital One rented the breached servers through Amazon’s cloud-based computing platform, Amazon Web Services or AWS.

“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers,” the senators wrote.

“The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate Section 5 of the FTC Act,” the senators continued.

Wyden previously wrote to Amazon CEO Jeff Bezos pressing for more answers regarding his company’s cloud service’s role in the Capital One hack. Amazon’s response to the August 2019 letter is available here . Senator Warren wrote to Capital One following the breach, requesting information about security vulnerabilities that led to data breach, and the company’s plans to rectify the situation and hold executives and contractors accountable.

An email demonstrating Amazon’s prior knowledge of SSRF attacks is also attached to today’s letter.

The letter to the FTC urging an investigation is here. Amazon’s aforementioned response to Wyden is also attached to that letter.