AP/Mark Lennihan
- The vulnerability that led to the Capital One data breach was a result of a misconfigured Capital One system that communicates with Amazon's Web Services (AWS) cloud platform, according to a report in The Wall Street Journal.
- The type of vulnerability has been known about by security researchers for years.
- Amazon places the responsibility on its clients to properly configure their systems.
- The incident underscores what's likely to become a louder debate about security within the nascent cloud industry.
- Visit Business Insider's homepage for more stories.
The vulnerability that led to the Capital One hack was known by security researchers since 2014, according to a report in The Wall Street Journal on Monday.
The Capital One breach was a result of misconfigured setting on a system that allowed the bank to communicate with Amazon Web Services (AWS), the bank's cloud provider. The misconfiguration led to weak security in one of the bank's networks.
It's unclear if Amazon itself knew if Capital One's systems specifically were misconfigured before the breach. Amazon says that it offers alerts when it detects security incidents, but no alert was sent or received by either Amazon or Capital One.
Still, Amazon places the responsibility on its customers to properly configure their systems, according to security adviser Scott Piper, who advises companies like Capital One on Amazon cloud security and spoke with the WSJ. Even if Amazon had known that a Capital One system was misconfigured, it's unclear if Amazon would have done anything about it.
It's likely that Capital One's security teams knew of the existence of the general type of vulnerability exploited in the breach, but whether they were aware that one of their systems was misconfigured isn't clear, either.
At the core of it, the Capital One breach appears to be an IT error on Capital One's part. Amazon has refused to take any culpability with the Capital One breach, and Capital One doesn't blame Amazon, either.
The debate of whether Amazon or Capital One did enough to prevent the hack underscores the extent to which the nascent cloud computing industry is still grappling with important procedures and expectations. Security in particular is an area that's likely to receive increasing scrutiny.
In February, it was found that other AWS clients have misconfigured systems, similar the one that led to the Capital One breach, according to security researcher Brennan Thomas who spoke with WSJ. And Thomas also said that the vulnerability isn't specific to AWS, but to other cloud platforms, too.
Amazon did not immediately replay to a request for comment.