AP/Mark Lennihan
- The vulnerability that led to the Capital One data breach was a result of a misconfigured Capital One system that communicates with Amazon's Web Services (AWS) cloud platform, according to a report in The Wall Street Journal.
- The type of vulnerability has been known about by security researchers for years.
- Amazon places the responsibility on its clients to properly configure their systems.
- The incident underscores what's likely to become a louder debate about security within the nascent cloud industry.
- Visit Business Insider's homepage for more stories.
The vulnerability that led to the Capital One hack was known by security researchers since 2014, according to a report in The Wall Street Journal on Monday.
The Capital One breach was a result of misconfigured setting on a system that allowed the bank to communicate with Amazon Web Services (AWS), the bank's cloud provider. The misconfiguration led to weak security in one of the bank's networks.
Transform talent with learning that worksCapability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More It's unclear if Amazon itself knew if Capital One's systems specifically were misconfigured before the breach. Amazon says that it offers alerts when it detects security incidents, but no alert was sent or received by either Amazon or Capital One.
Still, Amazon places the responsibility on its customers to properly configure their systems, according to security adviser Scott Piper, who advises companies like Capital One on Amazon cloud security and spoke with the WSJ. Even if Amazon had known that a Capital One system was misconfigured, it's unclear if Amazon would have done anything about it.
It's likely that Capital One's security teams knew of the existence of the general type of vulnerability exploited in the breach, but whether they were aware that one of their systems was misconfigured isn't clear, either.
At the core of it, the Capital One breach appears to be an IT error on Capital One's part. Amazon has refused to take any culpability with the Capital One breach, and Capital One doesn't blame Amazon, either.
The debate of whether Amazon or Capital One did enough to prevent the hack underscores the extent to which the nascent cloud computing industry is still grappling with important procedures and expectations. Security in particular is an area that's likely to receive increasing scrutiny.
In February, it was found that other AWS clients have misconfigured systems, similar the one that led to the Capital One breach, according to security researcher Brennan Thomas who spoke with WSJ. And Thomas also said that the vulnerability isn't specific to AWS, but to other cloud platforms, too.
Amazon did not immediately replay to a request for comment.
Next Story
Colon cancer rates are rising in young people. If you have two symptoms you should get a colonoscopy, a GI oncologist says.
I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
An Ambani disruption in OTT: At just ₹1 per day, you can now enjoy ad-free content on JioCinema
Vegetable prices to remain high until June due to above-normal temperature
RBI action on Kotak Mahindra Bank may restrain credit growth, profitability: S&P
'Vote and have free butter dosa': Bengaluru eateries do their bit to increase voter turnout
Reliance gets thumbs-up from S&P, Fitch as strong earnings keep leverage in check
Realme C65 5G with 5,000mAh battery, 120Hz display launched starting at ₹10,499
