Massive Data Breach Raises Concerns over Cloud Security




A data breach resulting in the leak of over 100 million users' private data raises serious concerns over the security of cloud based data storage.


In a breaking story that shook the foundations of both the technology and financial sectors, it was announced Capital One's servers had been breached. Approximately 100 million credit card applications had been leaked, complete with personal information such as social security numbers, credit scores and transaction data.

What makes this data breach even more significant is where that breached server resides. The data is hosted by Amazon Web Services (AWS), arguably the largest cloud providers on the planet; 47.8% or the total e-commerce market share, with Microsoft coming in second with 15.5%. AWS provides the web based platform and storage facilities for countless major companies and software applications. Such applications include accounting/ERP applications and even some detailing/estimating packages used throughout the architectural industry.

Amazon has denied responsibility for the breach in public statement, claiming "The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure." - Effectively placing the blame at the feet of Capital One and their I.T. people.

Shortly thereafter, a former employee of Amazon Web Services, Paige A. Thompson of Seattle, WA was identified as being responsible for breaking into the server in question. Ms. Thompson appeared before a U.S. Magistrate Judge on July 29th and the case is ongoing.

Regardless of whether the breach was ultimately caused by software application failures or the malicious actions of a former employee, the greater issue remains. As software developers, and by extension their business clients, increasing rely on web-based solutions and storage to maintain critical and private data, one is forced to question just how


secure these platform really are. Most cloud users have become accustomed to reading reports of "hacks" and data breaches occurring from services providers such as Apple, Google, Dropbox and others. They simply accepted this as being the "cost of doing business" and resigned themselves to accept the risk of their data be compromised in light of the convenience being offered.

In the days following the recent Capital One/AWS breach however, it wasn't just users that pushed the proverbial panic button. During the time this breach occurred, Amazon was looking forward to being awarded a $10 billion contract with the U.S. Defense Department. The Pentagon contract would have carried a 10 year term, but was put on hold in the wake of the disastrous news. The White House has apparently instructed the defense secretary to investigate the matter further.


Clearly, cloud-based solutions and storage are going to be with us for a very long time. No one could possibly question the convenience afforded by making data accessible to users everywhere. Companies such as Netflix rely on AWS to distribute their library of content to a world-wide audience. Perhaps one should pause, however, to consider the wisdom of exactly what data is being consigned to such an obviously vulnerable platform. A growing number companies and I.T. professionals choose to

implement cloud-based applications as alternative to traditional "on premise" solutions - for no reason other than to save themselves the time and cost of maintaining them. In the process they may be exposing their business-critical data to unnecessary risk. Is it truly necessary – or advisable – to make confidential data so easily accessible?

Despite what its name implies, the "cloud" is not an ethereal storage vault, hovering far above the reach of mere humans; it's simply a collection of servers and hard drives that reside in someone else's building. Consider this: A single, disgruntled employee can cause the exposure of 100 million users' private data. Cloud service provides currently employ tens of thousands of individuals.

The following are links to additional articles that detail the Capital One/Amazon Web Services data breach.


Graham, Jefferson. "Capital One data breach: Amazon Web Services is backbone for Netflix, NASA and others" USA Today, https://www.usatoday.com/story/tech/talkingtech/2019/07/30/amazon-aws-unit-says-its-not-responsible-capital-one-data-breach/1868862001. Accessed 23 August, 2019.

Christian Berthelsen, Matt Day, and William Turton. "Capital One Says Breach Hit 100 Million Individuals in U.S." Bloomberg, https://www.bloomberg.com/news/articles/2019-07-29/capital-one-data-systems-breached-by-seattle-woman-u-s-says. Accessed 23 August, 2019.

Jay Greene and Drew Harwell. "The Capital One hack couldn't have come at a worse time for Amazon's most profitable business" Washington Post, https://www.washingtonpost.com/technology/2019/08/01/capital-one-hack-couldnt-have-come-worse-time-amazons-most-profitable-business. Accessed 23 August, 2019.

Aaron Gregg and Josh Dawsey. "After Trump cites Amazon concerns, Pentagon reexamines $10 billion JEDI cloud contract process" Washington Post, https://www.washingtonpost.com/business/2019/08/01/after-trump-cites-amazon-concerns-pentagon-re-examines-billion-jedi-cloud-contract-process. Accessed 23 August, 2019.


We welcome any questions, comments or suggestions about any topic mentioned in this edition of AVAwire. Please visit our website for more information, or contact us directly at (416) 239-9099.