Multiple lawsuits have been filed over the recent hack of Capital One data stored on Amazon Web Services Inc.’s (AWS) infrastructure. AWS is at least one of these.
Capital One announced last month the “data security incident”, in which a person identified as an ex-AWS engineer gained personal information from customers who applied for credit cards.
The company’s data was stored on AWS infrastructure. This is a problem that continues to plague the company, even though many well-publicized data breaches or exposures are usually caused by user misconfigurations rather than inherent cloud platform flaws.
For example, the Capital One breach was not initiated by an individual. However, a “firewall configuration misconfiguration” was partly responsible for the exposure of the data to attack.
GeekWire reported last week on the resulting lawsuits. It noted that a plaintiff group, also named Amazon Web Services, Capital One’s cloud provider, claimed that the tech giant is also culpable.
GeekWire stated that GitHub, an open source code repository and development platform was also named in a suit. It was accused of failing to respond to hacked data.
This lawsuit, filed in Seattle federal court, includes Amazon as a defendant. It claims that Amazon knew of a vulnerability exploited by Paige Thompson (an engineer from Seattle) and “did not do anything to fix it.” An ex-AWS employee, the alleged attacker, hacked into a misconfigured Web app firewall. According to the complaint, AWS knows that the single-line command that exposes AWS credentials for any EC2 system is available and is included in their online documentation. It is also well-known among hackers. According to Newsweek, AWS denied any responsibility for this hack. A spokesperson for Amazon Web Services told Newsweek that AWS was not compromised in any manner and that it functioned as intended. The attacker gained access by misconfiguring the Web application, not the cloud-based infrastructure. Capital One clearly stated in its disclosure that this vulnerability is not limited to the cloud. ”
The Capital One hack was nonetheless bad news for AWS. AWS has long been plagued with reports of exposed data, often caused by misconfigurations. No matter how much security guidance they publish, AWS has been plagued for years by such reports.