Senators urge FTC to investigate Amazon over Capital One hack

29 Oct 2019

Image: © Andrei/

Two US senators have written to the FTC, urging it to investigate Amazon Web Services over whether it played a role in the Capital One breach.

US senators Ron Wyden and Elizabeth Warren have written to the Federal Trade Commission (FTC) urging it to launch an investigation into Amazon. They want the FTC to determine if the company failed to secure servers rented to Capital One in violation of federal law.

Citing the FTC’s own message that companies have an obligation to act on third-party reports of cybersecurity vulnerabilities, the senators argued in a letter that the company was aware that its Amazon Web Services (AWS) product was vulnerable to server-side request forgery (SSRF) attacks “since mid-2018 at the latest”.

Hackers used this SSRF technique to infiltrate Capital One’s servers, stealing the data of 100m customers in the process.

The letter continues: “Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public. As such, Amazon shares some responsibility for the theft of data on 100m Capital one customers.

“The FTC has the authority and responsibility to investigate unfair and deceptive business practices. We urge you to investigate whether Amazon’s failure to secure its services against SSRF attacks constitutes an unfair business practice.” reached out to representatives from AWS for comment but could not reach them at the time of publication.

Balaji Parimi, CEO at CloudKnox Security, commented that securing in the cloud is “a shared responsibility”, noting that privileges within AWS’s cloud platform led to the breach. Parimi said: “AWS and every security best practice have been touting the importance of implementing the least-privilege policy to mitigate these types of risks. Unfortunately, it is easier said than done.

“When roles are created, the set of privileges for the roles are determined based on assumptions. When dealing with thousands of privileges, and assumption-based permissions, over provisioning of privileges is inevitable. This incident sheds light on the magnitude of the dangers of over-privileged identities.”

Amazon is already subject of a broad FTC investigation relating to possible antitrust violations. The e-commerce company, alongside other tech giants such as Apple, Facebook and Google, were all recently asked to turn over a cache of internal documents.

Eva Short was a journalist at Silicon Republic