Antitrust Law Daily Wyden, Warren urge FTC to investigate Amazon’s Capital One breach
Thursday, October 24, 2019

Wyden, Warren urge FTC to investigate Amazon’s Capital One breach

By J. Preston Carter, J.D., LL.M.

The senators say Google, since 2013, and Microsoft, since 2017, used the sort of cyberattack protection that, if used by Amazon, might have prevented the Capital One breach.

Senators Ron Wyden (D-Ore) and Elizabeth Warren (D-Mass) sent a letter to the FTC today, urging the agency to investigate and determine if Amazon’s failure to secure the servers it rented to Capital One constitutes an unfair business practice in violation of Section 5 of the FTC Act. The letter contends that Amazon knew, or should have known, that its cloud-based computing platform was vulnerable to cyberattacks.

In July 2019, Capital One revealed that a hacker had breached its systems and stolen the personal data of 100 million Americans. Amazon acknowledged in August that the hacker stole data from Amazon servers rented by Capital One using a popular cyberattack technique known as a "server side request forgery" (SSRF). Capital One rented the breached servers through Amazon’s cloud-based computing platform, Amazon Web Services or AWS. The letter states that Amazon’s largest competitors have included mandatory protections against SSRF attacks in their products for several years—Google, since 2013, and Microsoft, since 2017.

The letter continues by stating that while it is likely that Amazon has known that its AWS product was vulnerable to SSRF attacks since the first high-profile demonstration by a cybersecurity researcher in 2014, the company has certainly known since mid-2018 at the latest, when Amazon’s security team was contacted by email by a cybersecurity expert, who recommended that the company adopt the same cybersecurity defense against SSRF attacks already used by Google and Microsoft.

"Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers," the senators wrote.

"The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice, which would violate Section 5 of the FTC Act," the senators continued.

Wyden’s press release announcing the letter notes that he previously wrote to Amazon CEO Jeff Bezos pressing for more answers regarding his company’s cloud service’s role in the Capital One hack and that Warren wrote to Capital One following the breach, requesting information about security vulnerabilities that led to the data breach, and the company’s plans to rectify the situation and hold executives and contractors accountable.

Companies: Amazon, Inc.; Capital One Financial Corp.; Google LLC; Microsoft Corporation

MainStory: TopStory ConsumerProtection FederalTradeCommissionNews Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Antitrust Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on antitrust legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.