Senators Ask FTC to Probe Amazon Actions in Capital One Breach

(Bloomberg) -- Two Democratic senators said the U.S. Federal Trade Commission should investigate whether Amazon.com Inc. violated federal law in its handling of security ahead of a Capital One Financial Corp. breach that exposed data from about 100 million people in the U.S.

Capital One said in July that the data was illegally accessed after prosecutors accused a woman identified as a former employee of Amazon’s cloud-computing division of taking advantage of a vulnerability.

“Amazon shares some responsibility for the theft of data on 100 million Capital One customers,” Senator Ron Wyden of Oregon, who is the top Democrat on the Senate Finance Committee, and Massachusetts Senator Elizabeth Warren, a 2020 presidential candidate, wrote in a letter dated Thursday to FTC Chairman Joe Simons.

The Wall Street Journal earlier reported the letter, which was released by Wyden’s office with an August 2018 email that appeared to be alerting Amazon to a security issue -- known as a server side request forgery, or SSRF vulnerability -- that played a significant role in the breach, as well as a response from the company promising to look into the issue.

The letter from the senators also says that Amazon’s failure to address the flaw as competitors Alphabet Inc.’s Google and Microsoft Corp. have done “has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences.”

The FTC should look into whether Amazon’s failure to secure its services “constitutes an unfair business practice,” which would violate federal law, the letter said.

Misconfigured Firewall

An Amazon spokeswoman didn’t immediately return a request for comment, but Wyden released an August letter from Stephen Schmidt, the chief information security officer of Amazon Web Services, the company’s cloud division. He blamed Capital One for a misconfigured firewall that acted as the primary vulnerability. Schmidt said AWS gives “customers clear guidance on both the importance and necessity of protecting themselves from SSRF attacks.” AWS had been scanning for misconfigured firewalls, he said.

In an August letter to Treasury Secretary Steven Mnuchin, a pair of Democratic lawmakers in the House, Representatives Nydia Velazquez of New York and Katie Porter of California, said the breach showed that financial regulators should consider designating major cloud providers as “systemically important.” That could lead to AWS and its competitors getting tough oversight from the Federal Reserve and other watchdogs.

An FTC spokeswoman declined to comment. A Capital One spokesman also declined to comment.

--With assistance from David McLaughlin.

To contact the reporter on this story: Ben Brody in Washington, D.C. at btenerellabr@bloomberg.net

To contact the editors responsible for this story: Sara Forden at sforden@bloomberg.net, Mark Niquette, Molly Schuetz

©2019 Bloomberg L.P.