Sens. Elizabeth Warren (D-Mass.) and Ron Wyden (D-Ore.) urged the Federal Trade Commission (FTC) on Thursday to investigate whether Amazon’s failure to secure its servers, which resulted in a breach that exposed the personal data of 100 million Americans, was a violation of federal law.
Warren and Wyden wrote in a letter to FTC Chairman Joseph Simons on Thursday that Amazon “knew, or should have known” that their Amazon Web Services (AWS) cloud server, which the company rented to Capital One to store data, was vulnerable to cyberattacks.
The massive data breach was revealed in July when Capital One announced that an individual was able to gain access to the data of both credit card customers and those who had applied for credit cards. The data of 6 million Canadians was also included in the breach, with some Social Security and credit card numbers among the compromised data.
Former Amazon employee Paige Thompson was subsequently arrested and indicted by a federal grand jury in August for allegedly breaching servers containing customer data from Capital One and approximately 30 other companies.
Thompson was arrested after she posted about her theft of the data on GitHub and another user reported her to Capital One, which then alerted the FBI.
Wyden, who serves as the top Democrat on the Senate Finance Committee, and Warren, who serves on the Senate Banking Committee, made the case that Amazon may have broken the law through its failure to secure its servers against server side request forgery (SSRF) attacks, the method allegedly used by Thompson to gain access to the data.
“Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public,” the senators wrote. “As such, Amazon shares some responsibility for the theft of data on 100 million customers.”
Specifically, the senators asked the FTC to investigate whether Amazon’s failure to secure its services constitutes an “unfair and deceptive business practice,” which would violate Section 5 of the FTC Act.
The senators cited a 2018 email that Amazon received from a cybersecurity expert who raised concerns around potential SSRF attacks on Amazon’s servers and recommended that the company adopt security practices already used by Google and Microsoft to further secure sensitive data. An Amazon official responded to the expert by saying their feedback would be considered.
A spokesperson for AWS pushed back against the requested investigation, telling The Hill that “the letter’s claim is baseless and a publicity attempt from opportunistic politicians.”
The spokesperson added that “As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.”
A spokesperson for the FTC told The Hill that it had received the letter from the senators, but had no additional comment on a potential investigation.
Wyden sent a letter to Amazon in early August following the announcement of the breach asking questions around the incident, to which AWS Chief Information Security Officer Stephen Schmidt responded that Amazon “invests a substantial amount of resources securing our services and helping our customers secure themselves, and will continue to do so forever.”
Warren, a 2020 Democratic presidential candidate, has made breaking up big tech a key part of her campaign platform, zeroing in on Amazon as part of this.
-Updated at 3 pm to include a statement from AWS