The News: Capital One hacker Paige Thompson, former Amazon engineer, was indicted by a grand jury today on multiple counts of wire fraud and computer fraud following allegations that she not only stole data from Capital One and up to 30 other companies, but that she also mined cryptocurrency once she was able to infiltrate the cloud servers of the various companies involved. Read more on this at GeekWire.
Capital One Hacker Indictment Not Great News for Amazon’s AWS
Analyst Take: This is not the best time for Amazon’s AWS to be in the news as it relates to firewall vulnerabilities.
Some quick back story — this hack itself took place on March 22 and 23rd, but Capital One only learned of the intrusion in mid-July, after a GitHub user flagged a post (made by Thompson). The FBI was soon on the case.
The allegations against Thompson claim that she exploited misconfigured web application firewalls on the compromised companies’ cloud servers. While it hasn’t (yet) been publicly announced that those servers belong to Amazon AWS cloud, it is looking as though that’s the case.
The indictment against Thompson alleges that she used her access to all the servers she was able to access as a result of these firewall vulnerabilities to mine cryptocurrency, which is called “cryptojacking.” In essence, cryptojacking allows a hacker to earn money for mining cryptocurrency by using the computing power of others. In this case, Capital One and the other companies compromised.
Where Amazon Gets More Involved
A lawsuit was filed in California in early August by some consumers angry about the breach, and a subsequent suit was filed the following week naming both GitHub and Amazon as defendants. The second suit alleges that Amazon knew about the vulnerability that made the hack possible and took no action to fix it. According to the complaint, “The single-line command that exposes AWS credentials on any EC2 system is known by AWS and is in fact included in their online documentation … [I]t is also well known among hackers.”
Why This is Bad Timing for Amazon — Can You Say “DoD JEDI contract”?
Hacks happen. There are going to be more of them, and we are, as a society, becoming largely immune to the news of yet another data breach. Sad, but true. The problem for Amazon in this case is all about image and reputation. Amazon AWS is one of two major contenders named in April for the Pentagon’s $10B JEDI cloud contract — with Microsoft being the other selected as a finalist.
The JEDI contract itself is a controversial one: The DoD seeks to build a cloud infrastructure using a single cloud services provider, and the $10 billion price tag so often bandied about in discussions about this RFP is really just the beginning. It’s only logical that the vendor that ultimately is awarded the contract stands to win substantial government work moving forward and naturally ever tech company under the sun has been clamoring to get a part of it. In fact, some of the vendors who’ve been eliminated (read: Oracle) want it so badly that they keep filing appeals.
That aside, the timing here truly could not be worse for Amazon AWS. To be in the news and connected to a major security breach with a gigantic financial services company at just the time when the government is making final assessments between the two finalist vendors is, well, not ideal.
I’ve said before in this space that while Amazon AWS is probably the best cloud solution for the DoD, and in fact has been rumored to be favored, I believe that it’s entirely possible Microsoft will ultimately be awarded the JEDI contract. AWS has the security clearances and certainly the capability to fulfill the needs of the DoD as it relates to cloud infrastructure, but does it take a knock on the credibility front when it comes to news of this nature? I think perhaps so.
The current administration is no fan of Amazon owner Jeff Bezos and, being named in a lawsuit of this nature might be just the thing that Defense Secretary Esper can’t defend against. The DoD JEDI contract is supposed to be awarded and announced in late August, so I guess we’ll know quickly enough.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.