The top Democrat on the Senate Finance Committee is evaluating the potential risk to companies and government agencies from Amazon’s cloud-computing service, which stored Capital One data stolen in a massive data breach.
The intrusion, one of the largest data breaches in history, has already prompted an investigation from New York’s attorney general, and Republicans on the House Oversight and Reform Committee previously asked executives from Capital One and Amazon Web Services for a briefing.
Now, organizations including Ford Motor Company, the Ohio Department of Transportation, Michigan State University, and an Italian bank are looking into possibly related hacks, Sen. Ron Wyden of Oregon pointed out in a Monday letter to Amazon CEO Jeff Bezos, according to the Wall Street Journal.
“If Amazon’s cloud computing services are found to be the common element in a series of high-profile hacks targeting large corporations, it would raise serious questions about whether other corporations and government entities that use Amazon’s cloud computing products are also vulnerable,” he wrote.
McLean, Virginia-based Capital One disclosed the hack affecting more than 100 million consumers last week, and the FBI arrested Paige Thompson, a Seattle software engineer and former Amazon employee, in the theft of the personal data on the lender’s customers and credit card applicants.
Thompson, 33, exploited a misconfigured firewall to access cloud-based data servers where the information was stored, according to the Justice Department. The FBI did not name Amazon in the criminal complaint filed against Thompson, but the web giant revealed it provides cloud computing services for Capital One.
“When a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices,” Wyden wrote. “However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.”
Wyden asked Amazon to respond to a series of questions, including whether it has provided any guidance to its cloud computing customers about the potential for hacks.
