Security researchers warned for years about the cloud-security flaw used in the massive Capital One hack, but Amazon apparently leaves it up to customers to protect

  • The vulnerability that led to the Capital One data breach was a result of a misconfigured Capital One system that communicates with the Amazon Web Services cloud platform, according to a report in The Wall Street Journal.
  • The type of vulnerability has been known about by security researchers for years.
  • Amazon places the responsibility on its clients to properly configure their systems.
  • The incident underscores what’s likely to become a louder debate about security within the nascent cloud industry.
  • Visit Business Insider’s homepage for more stories.

The vulnerability that led to the Capital One hack was known by security researchers since at least 2014, according to a report in The Wall Street Journal on Monday.

The Capital One breach was a result of misconfigured setting on a system that allowed the bank to communicate with Amazon Web Services, the bank’s cloud provider. The misconfiguration led to weak security in one of the bank’s networks.

It’s unclear whether Amazon knew whether Capital One’s systems specifically were misconfigured before the breach. Amazon says it offers alerts when it detects security incidents, but no alert was sent or received by Amazon or Capital One.

Still, the security adviser Scott Piper, who advises companies like Capital One on Amazon cloud security, told The Journal that Amazon placed the responsibility on its customers to properly configure their systems. Even if Amazon had known that a Capital One system was misconfigured, it’s unclear whether Amazon would have done anything about it.

It’s likely that Capital One’s security teams knew of the general type of vulnerability exploited in the breach, but whether they were aware that one of their systems was misconfigured isn’t clear, either.

At the core of it, the Capital One breach appears to be an IT error on Capital One’s part. Amazon has refused to take any culpability with the Capital One breach, and Capital One doesn’t blame Amazon, either.

The debate of whether Amazon or Capital One did enough to prevent the hack underscores the extent to which the nascent cloud-computing industry is still grappling with important procedures and expectations. Security in particular is an area that’s likely to receive increasing scrutiny.

In February, it was found that other AWS clients had misconfigured systems, similar the one that led to the Capital One breach, the security researcher Brennan Thomas told The Journal. And Thomas also said the vulnerability wasn’t specific to AWS but to other cloud platforms, too.

Amazon did not immediately reply to a request for comment.