If the alleged Capital One hacker also took information from dozens of other companies, as investigators suspect, then Amazon Web Services isn’t aware of it, according to the cloud computing giant.
The company outlined its findings in a letter to Sen. Ron Wyden, D-Ore., who had sought more detail on how a reported misconfiguration in Capital One’s AWS server would have made it possible for a single individual to steal information about more than 100 million people.
The letter said AWS is not aware of any breaches at other “noteworthy” customers, cautioning that there “may have been small numbers of these that haven’t been escalated to us.” This follows court filings indicating government investigators are probing whether the accused hacker, Paige Thompson, also took data from more than 30 other companies, along with Capital One.
Wyden asked whether any vulnerabilities in the AWS cloud service — which serves millions of customers – contributed to the data breach. Specifically, the senator wanted to know if the hacker had exploited a “server-side request forgery (SSRF) vulnerability” — a bug that allows attackers to trick misconfigured servers into revealing information they should not.
“As Capital One outlined in their public announcement, the attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended,” Stephen Schmidt, the chief information security officer for AWS, said in an Aug. 13 response to Wyden.
“After gaining access through the misconfigured firewall and having broader permissions to access resources, we believe a SSRF attack was used (which was one of several ways an attacker could have potentially gotten access to data once they got in through the misconfigured firewall),” Schmidt said.
AWS said it has contacted customers that may have been affected and that none have reported “any significant issues.”
The company offers “clear guidance” on securing cloud infrastructure and provides clients with how-to-guides and professional services for setting up protections, the letter said.
AWS said it intends to be more proactive following the Capital One incident. Last week, the company started scanning public IP addresses to try to detect misconfigurations. It won’t be clear to AWS if a server truly is misconfigured, but if something looks amiss, Schmidt said, the cloud provider “will err on the side of over-communicating.”
AWS also will do more to ensure its anomaly detection services are “more broadly adopted and accessible in every geographic region” where the company operates, he said.