The data breach that appears to have exposed more than 100 million applications for Capital One credit cards couldn’t have come at a worse time for Amazon Web Services, which stores the bank’s data.
The profit-driving Amazon unit, which allows companies to rent out storage and computing space on massive servers, has been the favorite to win a 10-year, $10 billion contract from the Defense Department, which had been expected to be announced this month. It was thrown into question Thursday when the White House instructed the defense secretary to reexamine the award, officials close to the matter told The Washington Post.
House Oversight Committee lawmakers sent letters on Thursday to both Amazon and Capital One requesting briefings on the incident and more details on the companies’ security protocols. In the Amazon letter, addressed to chief executive Jeff Bezos, the lawmakers cited the potential JEDI award, writing that “the Committee may carefully examine the consequences of this breach.”
(Bezos owns The Washington Post.)
The Capital One breach could further undermine Amazon’s hopes to win the contract outright. It could also fuel anxieties among companies and other organizations considering further moving their operations into the cloud.
“Any major breach involving a cloud provider is going to blow back on them, whether it’s at all their fault, and whether or not that’s fair,” said Brian Krebs, an investigative cybersecurity researcher and blogger who has written about the breach. These companies “just want to know how they can avoid falling into the same trap.”
Earlier this week, Capital One announced the breach of its credit card applications, as well as tens of thousands of Social Security and bank account numbers. The hack appears to be one of the largest data breaches ever to hit a financial services firm.
Federal agents in Seattle on Monday arrested Paige A. Thompson, a 33-year-old former Amazon employee who they accused of the crime. It’s unclear whether her technical insight from working at Amazon may have provided her an advantage in helping her hack into Capital One’s proprietary software running on Amazon’s servers.
Capital One noted that the “vulnerability is not specific to the cloud,” and Amazon spokesman Grant Milne said that Amazon Web Services was “not compromised” in the attack.
Much of Capital One’s technology runs on Amazon’s cloud offering, which provides the technical backbone on which companies can run applications that power websites, store data, handle customer-service operations and manage human-resource programs. Amazon has built dozens of massive data centers across the world, allowing companies to rent space rather than building their own internal data centers.
Amazon first created Amazon Web Services, or AWS, more than a decade ago after building out similar capacity for its own retail site, which needed to scale up and down rapidly for Black Friday and other periods of high demand. It started selling the service to outside companies, including Netflix, which uses it to host and stream movies and TV shows, and later Capital One, which uses it for things such as storing customer data.
AWS is also used by a number of government agencies and members of the intelligence community, including the CIA, on what’s called the “AWS Secret Region” — a massive collection of data centers available for storing and analyzing unclassified as well as top-secret data.
Even though Thompson left Amazon about three years ago, her technical knowledge gave her the kind of insight necessary to hack into Capital One’s computer systems, the Justice Department said in announcing her arrest. And Capital One said it believes that “a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure.”
Still, Capital One says that the hack could have happened whether it was on the cloud or located in the company’s own data servers. That’s because Thompson allegedly hacked into the system via software the bank built for its own use to monitor and sometimes block Web traffic. The system, known as a Web application firewall, runs on Amazon’s servers but may have been targeted no matter where it was located.
While Thompson apparently knew enough to breach the firewall, it’s unclear whether her knowledge from her time at AWS gave her specific insight into the application Capital One created. Some researchers have said the techniques Thompson is accused of using, and the weaknesses she is accused of exploiting, are commonly known.
Krebs, the cybersecurity blogger, said security officials at other banks have contacted him in recent days voicing concerns about their own potential vulnerabilities.
“There’s nothing about the cloud that’s set-it-and-forget-it,” he said. The tools that run on top of cloud services such as AWS are “not magically any more safe than a [more traditional] data center: You still have to pay attention.”
Because Amazon pioneered the multibillion-dollar business of providing Web-based, on-demand computing resources to companies, it dominates the cloud infrastructure business, with roughly 48 percent of the market, according to estimates from Gartner. That has put it in the lead for nabbing the Defense Department’s $10 billion cloud contract. Microsoft, which is also in the running, is a distant second at 15 percent of the market.
But the breach of Capital One, one of the country’s biggest issuers of credit cards, could give ammo to President Trump, who has appeared unhappy that the lucrative deal could land at Amazon. He’s been critical of the company for years, accusing it among other things of “putting many thousands of retailers out of business!”
Trump last month said he would direct aides to investigate the Joint Enterprise Defense Infrastructure, or JEDI, contract, saying he had heard multiple complaints about an allegedly unfair bidding process. The Pentagon has previously said it intends to award the contract to only one company. But some officials who spoke with The Post on Thursday said the move to award the contract to more than one company is a possibility.
Elissa Smith, a department of defense spokeswoman, said newly installed Defense Secretary Mark T. Esper is examining the program and that a decision hasn’t yet been made.
The hack also fueled anxiety among federal lawmakers already unnerved by the recent settlement of another breach victim, the credit bureau Equifax.
The Senate Banking Committee and the New York attorney general said they are investigating the breach. “We want to find out all of these vulnerabilities in the system and figure out what we must do to deal with it at a policy level,” Banking Committee Chairman Mike Crapo (R-Idaho) said.
“I’m sick of waking up to headlines revealing that millions of Americans had their information stolen because a billion-dollar company failed Cybersecurity 101,” Sen. Ron Wyden (D-Ore.) said Tuesday in a tweet.
An FBI agent who raided Thompson’s residence Friday noted in the complaint filed by the Justice Department charging the former AWS employee that files on her devices included references to “other entities that may have been targets of attempted or actual network intrusions.” Several companies said this week that they are investigating if their systems were hacked as well, after seeing their names on tech websites Thompson used.
Ford, the Ohio Department of Transportation, Michigan State University, Italian bank UniCredit and tech security firm Infoblox may all have been targeted in the attacks, according to some of Thompson’s posts.
Both Ford and UniCredit said they are investigating. Michigan State University doesn’t think its systems were breached but is working with law enforcement. Infoblox is continuing to investigate but has seen “no indication of an intrusion or data breach” that would have led customer data to be exposed, spokeswoman Erica Coleman said.
And while the Ohio Department of Transportation is working with the FBI to determine whether data may have been accessed, it does not use AWS — something that may lend credence to the idea the hacker’s AWS knowledge wasn’t key to her access.
Amazon said it is working with Capital One and other companies that may have been hacked but has not found “proof that the perpetrator in the Capital One incident found similar application flaws in a few other customers,” Milne said.