The News: Capital One hacker Paige Thompson, former Amazon engineer, was indicted by a grand jury today on multiple counts of wire fraud and computer fraud following allegations that she not only stole data from Capital One and up to 30 other companies, but that she also mined cryptocurrency once she was able to infiltrate the cloud servers of the various companies involved. Read more on this at GeekWire.
Capital One Hacker Indictment Not Great News for Amazon’s AWS
Analyst Take: This is not the best time for Amazon’s AWS to be in the news as it relates to firewall vulnerabilities.
Some quick back story — this hack itself took place on March 22 and 23rd, but Capital One only learned of the intrusion in mid-July, after a GitHub user flagged a post (made by Thompson). The FBI was soon on the case.
The allegations against Thompson claim that she exploited misconfigured web application firewalls on the compromised companies’ cloud servers. While it hasn’t (yet) been publicly announced that those servers belong to Amazon AWS cloud, it is looking as though that’s the case.
The indictment against Thompson alleges that she used her access to all the servers she was able to access as a result of these firewall vulnerabilities to mine cryptocurrency, which is called “cryptojacking.” In essence, cryptojacking allows a hacker to earn money for mining cryptocurrency by using the computing power of others. In this case, Capital One and the other companies compromised.
Where Amazon Gets More Involved
A lawsuit was filed in California in early August by some consumers angry about the breach, and a subsequent suit was filed the following week naming both GitHub and Amazon as defendants. The second suit alleges that Amazon knew about the vulnerability that made the hack possible and took no action to fix it. According to the complaint, “The single-line command that exposes AWS credentials on any EC2 system is known by AWS and is in fact included in their online documentation … [I]t is also well known among hackers.”
Why This is Bad Timing for Amazon — Can You Say “DoD JEDI contract”?
Hacks happen. There are going to be more of them, and we are, as a society, becoming largely immune to the news of yet another data breach. Sad, but true. The problem for Amazon in this case is all about image and reputation. Amazon AWS is one of two major contenders named in April for the Pentagon’s $10B JEDI cloud contract — with Microsoft being the other selected as a finalist.
The JEDI contract itself is a controversial one: The DoD seeks to build a cloud infrastructure using a single cloud services provider, and the $10 billion price tag so often bandied about in discussions about this RFP is really just the beginning. It’s only logical that the vendor that ultimately is awarded the contract stands to win substantial government work moving forward and naturally ever tech company under the sun has been clamoring to get a part of it. In fact, some of the vendors who’ve been eliminated (read: Oracle) want it so badly that they keep filing appeals.
That aside, the timing here truly could not be worse for Amazon AWS. To be in the news and connected to a major security breach with a gigantic financial services company at just the time when the government is making final assessments between the two finalist vendors is, well, not ideal.
I’ve said before in this space that while Amazon AWS is probably the best cloud solution for the DoD, and in fact has been rumored to be favored, I believe that it’s entirely possible Microsoft will ultimately be awarded the JEDI contract. AWS has the security clearances and certainly the capability to fulfill the needs of the DoD as it relates to cloud infrastructure, but does it take a knock on the credibility front when it comes to news of this nature? I think perhaps so.
The current administration is no fan of Amazon owner Jeff Bezos and, being named in a lawsuit of this nature might be just the thing that Defense Secretary Esper can’t defend against. The DoD JEDI contract is supposed to be awarded and announced in late August, so I guess we’ll know quickly enough.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
More insights from Futurum Research:
The original version of this article was first published on Futurum Research.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”