October 24, 2019

Wyden and Warren to FTC: Investigate Amazon’s Negligence in Capital One Hack

Senators Urge FTC to Investigate Whether Amazon’s Failure to Secure Servers Rented to Capital One Broke Federal Law

Washington, D.C. – U.S. Senators Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., today urged the Federal Trade Commission (FTC) to investigate and determine if Amazon’s failure to secure the servers it rented to Capital One violated federal law.

In July 2019, a hacker stole the personal information of 100 million Americans from Capital One using a popular cyberattack technique known as a “server side request forgery” (SSRF). Capital One rented the breached servers through Amazon’s cloud-based computing platform, Amazon Web Services or AWS.

“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers,” the senators wrote.

“The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate Section 5 of the FTC Act,” the senators continued.

Wyden previously wrote to Amazon CEO Jeff Bezos pressing for more answers regarding his company’s cloud service’s role in the Capital One hack. Amazon’s response to the August 2019 letter is available here and as an attachment to today’s letter. Senator Warren wrote to Capital One following the breach, requesting information about security vulnerabilities that led to data breach, and the company’s plans to rectify the situation and hold executives and contractors accountable.

An email demonstrating Amazon’s prior knowledge of SSRF attacks is also attached to today’s letter.

A copy of today’s letter is available here.