United States senators Ron Wyden (D-Oregon) and Elizabeth Warren (D-Massachussetts) are urging the Federal Trade Commission to investigate Amazon over the massive Capital One data breach that impacted more than 100 million people.
In July, it was discovered that a hacker obtained sensitive Capital One customer data that was stored on Amazon Web Services, the e-commerce giant's popular cloud service. The incident impacted approximately 100 million people in the United States and six million in Canada, Capital One said at the time. The suspected hacker, former Amazon employee Paige A. Thompson, allegedly accessed the information by taking advantage of a firewall misconfiguration in Capital One's cloud infrastructure.
Now, Wyden and Warren are pressing the FTC to investigate Amazon over whether or not what the senators called a "failure to secure the servers it rented to Capital One" would be in violation of federal law.
In a letter addressed to Joseph J. Simons, chairman of the FTC, Wyden and Warren accuse Amazon of not implementing the same level of protection against the type of attack that the suspected hacker used to obtain the data — known as a server side request forgery (SSRF) attack — as other tech firms like Microsoft and Google.
The senators also write that Amazon knew that its servers were vulnerable to SSRF attacks since August 2018, when a cybersecurity researcher contacted the company.
"Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks," the letter reads. "Although Amazon's competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers."
An Amazon Web Services spokesperson called the letter's claims "baseless" in a statement to Business Insider, saying that the attacker targeted a misconfiguration of Capital One's firewall. See below for the company's full comment.
"The letter's claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods given the level of access already gained."
The FTC did not immediately respond to Business Insider's request for comment.
Ameesh Divatia, CEO and co-founder of data protection firm Baffle, also said that the blame should not rest with Amazon.
"Step one in terms of mitigating these issues is [to] get out of this false sense of security that cloud users have, that Amazon will take care of it," Divatia said to Business Insider back in July.
Wyden previously wrote to Amazon CEO Jeff Bezos seeking more information about the company's potential role in the incident.
This new letter comes as tech firms like Amazon have come under increased scrutiny over concerns relating to consumer privacy and potentially anticompetitive business practices. The FTC is said to have begun an investigation to determine whether Amazon is using its size and reach to hamper competition in September, according to Bloomberg.
Warren and Wyden have also been vocal critics of tech industry giants like Amazon. Back in March, Warren proposed a plan to break up large tech firms like Apple, Amazon, Google, and Facebook, while Wyden recently introduced a bill cracking down on tech firms and executives that violate user privacy.