US lawmakers are stepping up their probe into the Capital One data breach, firing questions to Amazon CEO Jeff Bezos about the role of AWS cloud controls in the incident.
US Senator Ron Wyden is the latest US lawmaker to question the security precautions deployed by AWS cloud customers after the personal information of 106 million Capital One credit card holders and applicants in the US and Canada were hacked and published on the Internet.
Dubbed one of the largest data breaches to hit a financial services firm, the Capital One hack is expected to cost the company between $100 million and $150 million.
The hack was perpetrated by a former AWS engineer who bypassed a misconfigured firewall within the bank's network and then gained access to where data was stored within the cloud infrastructure the company used.
In his letter to Bezos, Wyden draws attention to the use of Simple Storage Service (S3) buckets within AWS for data storage. Amazon's customers are responsible for securing their S3 buckets, but with rumours abounding about similar leaks at other AWS users, Wyden wants to know what Amazon is doing at its end to improve security.
"When a major corporation losses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation's cyber security practices," wyden writes. "However, if several organisations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches."
Wyden joins a growing chorus of lawmakers calling for answers. Earlier this month, the US House of Representatives Committee on Oversight and Reform requested a formal briefing with Capital One and Amazon to get to the root cause of the breach. This intervention followed news of a formal probe into the incident by New York’s attorney-general.