Big tech continues to feel the heat from Washington. In the latest blast, two members of the U.S. Senate are questioning whether Amazon violated federal law in connection with the Capital One data breach.
Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.), who is seeking the Democratic presidential nomination, have asked the Federal Trade Commission (FTC) to investigate the matter. They want to determine whether Amazon adequately secured its AWS cloud servers prior to the attack.
In July, Capital One reported what may be the nation’s second-largest hack, revealing that a hacker accessed the records of around 100 million consumers in the U.S. and Canada.
The bank said the breach may have occurred in March of this year. It came to light on July 17, when an external security researcher reported a configuration vulnerability that the company confirmed two days later. An arrest was quickly made and Capital One said it was “unlikely that the information was used for fraud or disseminated” by the suspect.
Amazon owns the servers
Amazon enters into the picture because its AWS service owns the servers and leased space to the Virginia-based bank. The hack occurred with the use of a popular cyberattack technique known as a “server-side request forgery” (SSRF).
“Amazon knew or should have known, that AWS was vulnerable to SSRF attacks,” the lawmakers wrote in their letter. “Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
Wyden and Warren say the matter falls squarely under the FTC’s jurisdiction since it has the authority and responsibility to investigate unfair and deceptive business practices. They want the agency to determine whether AWS’ vulnerability to an SSRF attack constitutes an unfair business practice.
Amazon did not immediately respond to media requests to comment on the lawmakers’ letter. According to Reuters, both Capital One and the FTC declined to comment.