Capital One pays $22m in cybersecurity incident expenses as Elizabeth Warren uses breach to attack Amazon

American lender Capital One has revealed its third quarter results and it seems like the highly reported security breach has taken a big chunk out of its profits.

Now Democratic presidential hopeful Elizabeth Warren is using it in her campaign to restrict the power of big tech companies.

In the third quarter of 2019, Capital One spent $22m on cybersecurity incident expenses.

The news comes after the US bank fell victim to a cybersecurity breach, which resulted in a massive conversation about its digital defences and the responsibility of big companies to keep their clients’ personal information safe.

The financial holdings company was breached in March this year, but only discovered the violation of its safeguards in mid-July. The attack compromised 106 million customers’ data.

Since then the accused hacker has been arrested. She has pleaded not guilty.

However, the controversy has spread spanned far outside of the original breach and is now being used by Warren in her continuous efforts to roll back tech titans’ influence.

Warren and senator Ron Wyden wrote a letter to the Federal Trade Commission on Thursday October 24. They asked the regulator to investigate Amazon’s role in the Capital One hack. The bank had rented the affected servers from Amazon.

The lawmakers stated that the hacker used a technique known as server side request forgery, or SSRF. This is a common strategy for criminals to target organizations’ internal systems and to steal valuable data. It allows an attacker to send crafted requests from the back-end server of a vulnerable web application.

Warren and Wyden wrote that since a researcher had demonstrated that Amazon’s infrastructure was vulnerable to SSRF attacks as early as 2014, Amazon should have known the Amazon Web Services (AWS) and acted accordingly.

They stated that both Google and Microsoft had acknowledged the weakness in the past and acted upon it.

“Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public,” they wrote. “As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”

An AWS spokesperson told CNBC in a statement, “The letter’s claim is baseless and a publicity attempt from opportunistic politicians. As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall. The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company’s systems, and could have been substituted for a number of other methods given the level of access already gained.”

Capital One also reported that its income for the third quarter of 2019 had dropped to $1.3bn, down from $1.6bn in the second quarter of 2019.

Copyright © 2019 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research


The following investor(s) were tagged in this article.