US lawmakers intensify questioning over Capital One data breach

US lawmakers intensify questioning over Capital One data breach

US lawmakers are stepping up their probe into the Capital One data breach, firing questions to Amazon CEO Jeff Bezos about the role of AWS cloud controls in the incident.

US Senator Ron Wyden is the latest US lawmaker to question the security precautions deployed by AWS cloud customers after the personal information of 106 million Capital One credit card holders and applicants in the US and Canada were hacked and published on the Internet.

Dubbed one of the largest data breaches to hit a financial services firm, the Capital One hack is expected to cost the company between $100 million and $150 million.

The hack was perpetrated by a former AWS engineer who bypassed a misconfigured firewall within the bank's network and then gained access to where data was stored within the cloud infrastructure the company used.

In his letter to Bezos, Wyden draws attention to the use of Simple Storage Service (S3) buckets within AWS for data storage. Amazon's customers are responsible for securing their S3 buckets, but with rumours abounding about similar leaks at other AWS users, Wyden wants to know what Amazon is doing at its end to improve security.

"When a major corporation losses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation's cyber security practices," wyden writes. "However, if several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches."

Wyden joins a growing chorus of lawmakers calling for answers. Earlier this month, the US House of Representatives Committee on Oversight and Reform requested a formal briefing with Capital One and Amazon to get to the root cause of the breach. This intervention followed news of a formal probe into the incident by New York’s attorney-general.

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 09 August, 2019, 13:47Be the first to give this comment the thumbs up 0 likes

I totally welcome the probe into AWS. Too often, end customers are blamed unilaterally for data breaches when the root cause could lie elsewhere. As I'd asked in my post entitled Why Is This Data Breach Different?, "Was the data stolen from inhouse data centers of the payment processors? Or was it located on a "cloud" provided by some third party cloud services companies?" 

Not talking about AWS specifically, but it's no secret that most IaaS providers make all kinds of claims before the sale - e.g. "cloud eliminates your infra overheads" - but, after the sale, turn around and say even basic infra hygeine like backups are not covered by them.

It's high time cloud infra providers are pinned down to their presales commitments and held at least partially liable for penalties for data breaches.