News

Capital One Data Hack Leads to AWS Lawsuit

• By David Ramel
• 08/15/2019

The recent hack of Capital One data hosted on Amazon Web Services Inc. (AWS) infrastructure has led to multiple lawsuits, with AWS the target of at least one.

Capital One last month announced the "data security incident" in which a person identified in news reports as a former AWS engineer obtained the personal information of customers and others who applied for credit cards.

The data was stored on AWS infrastructure, a continuing problem for the company even though well-publicized data breaches and exposures are typically found to be caused primarily by user misconfigurations, rather than any inherent cloud platform flaws.

For example, even though the Capital One breach was actively instigated by an individual, a "firewall misconfiguration" was partially blamed for exposing the data to attack.

GeekWire last week reported on the resulting lawsuits, noting that a plaintiff group "also named Amazon Web Services, Capital One's cloud provider, alleging the tech giant is also culpable for the breach."

GitHub, the open source code repository and development platform, was also named in a suit for allegedly failing to monitor and respond to hacked data on its site, GeekWire said, providing this summary:

The new lawsuit, filed this week in federal court in Seattle, is unique because it includes Amazon as a defendant. It argues that Amazon knew about a vulnerability allegedly exploited by the hacker, Seattle-based engineer Paige Thompson, to pull off the attack and "did nothing to fix it." The alleged attacker, a former AWS employee, hacked into a misconfigured Web application firewall.

"The single-line command that exposes AWS credentials on any EC2 system is known by AWS and is in fact included in their online documentation," according to the complaint. "It is also well known among hackers."

Newsweek reported that AWS denied any responsibility for the hack. "An Amazon Web Services spokesperson told Newsweek: 'AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the Web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.' "

The Capital One hack was nevertheless bad news for AWS, which for years has been plagued by reports of exposed data usually caused by misconfigurations, no matter how much security guidance it publishes to avoid such issues.