A pair of Senate Democrats called on the Federal Trade Commission Thursday to investigate whether Amazon violated federal law by neglecting to secure the breached servers Capital One rented from the tech giant during the July hack that compromised millions of Americans’ personal information.
Sens. Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., penned a letter to FTC Chairman Joseph Simmons, urging him to open an investigation into how potential negligence from Amazon could’ve caused that attack. The senators note that the Capital One hacker used a popular cyberattack technique—server side request forgery, or SSRF—to steal the data from servers the bank was leasing from Amazon’s cloud-based computing platform, Amazon Web Services.
“Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public,” the senators wrote. “As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
The senators attached correspondence they received in August from the technology company, in which Amazon acknowledges that the incident exploited an SSRF vulnerability. Warren and Wyden wrote that two of the company’s largest competitors, Google and Microsoft, have equipped their products with mandatory protections against SSRFs for years.
The senators also said that it’s likely that the tech giant was aware that its AWS products could be threatened by such attacks since 2014, when a cybersecurity researcher gave the first high-profile demonstration of the vulnerability. In 2018 a cybersecurity expert also contacted the company’s security team and recommended that the tech giant adopt similar defenses to SSRFs as its competitors had implemented.
“Amazon failed to act on this third-party report and has not provided an explanation for its inaction,” the senators wrote. “We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate [the law].”