Should you own Amazon stock? It would certainly be a better investment if its most profitable business, AWS, was growing faster. And the odds of that happening would be better if the industry in which it competes — cloud services — was accelerating.
But news that Capital One — a proud AWS customer whose stock plunged over 5% in premarket trade on July 30 — suffered a 106 million customer data breach makes me think it’s possible that AWS’s growth might slow down even more (AWS grew over 40% in previous quarters and slowed to 37% in the latest quarter) and give pause to companies in the middle of moving their IT operations to the cloud.
Amazon stock — which trades 7% below its all-time high — is down nearly 1% in pre-market trading on July 30.
(I am a Capital One customer and have no financial interest in the securities mentioned in this post).Today In: Money
What happened? On June 18, Paige Thompson, a former AWS employee who left in 2016 (known online as “erratic”), tweeted that she had posted Capital One customer information on her GitHub account — the Microsoft-owned service that lets developers store software development revisions, according to Bloomberg.
Capital One evidently did not become aware of this for about four months. On July 17, it received an email sent to an account it set up for tipsters to notify Capital One of computer systems breaches. The email noted that “There appears to be some leaked s3 [AWS’s data storage service] data of yours in someone’s github/gist.” A link was provided to an account at GitHub, according to Bloomberg.
Capital One followed the link and found Thompson’s name. On July 29, Capital One announced that 100 million US accounts and six million Canadian ones were affected by the breach.
Prosecutors charged that Thompson accessed the Capital One data through her GitHub account between March 12 and July 17 and that a file on her account — timestamped April 21 — contained “a list of more than 700 folders and buckets of data,” according to Bloomberg.
GitHub says that the file posted on its system did not contain any stolen Capital One customer information.
According to an August 3 email from a GitHub spokesperson, “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”
Approximately 140,000 Social Security numbers and 80,000 bank account numbers, as well as some customers’ credit scores, payment histories and credit limits were leaked, according to the Wall Street Journal.
Meanwhile customer data such as names, addresses and dates of birth, and some financial information, including self-reported income and credit scores for those 106 million customers was affected by the breach, noted Bloomberg.
Capital One said that the breach was not the fault of AWS. Instead, Capital One had “improperly configured a firewall” — a problem that Capital One fixed when the company discovered it, according to Bloomberg. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
This data breach is not the worst ever — consider the 2017 Equifax data breach in which 145 million Social Security Numbers, names and dates of birth were stolen due to the company’s failure to patch a known flaw in its servers — costing Equifax about $650 million.
The breach raises questions about whether Capital One’s cloud strategy is miscalculated. Capital One has bragged about its use of the cloud for data storage. In April, its CEO Richard Fairbank told analysts that the company was “building a technology company that does banking, instead of a bank that just uses technology,” reported the Journal.
Appearing at AWS conferences, the Journal reported that Capital One executives have said that AWS has enabled the company to “handle spikes in computing-power needs, such as credit-card purchases on Black Friday, and roll out products faster to customers. By 2020. Capital One expects to complete the process of closing its data centers and moving the work formerly done there to AWS, according to the Journal.
The incident is expected to cost Capital One between $100 million and $150 million, according to the Journal, which reported that Fairbank said “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Questions About Cloud Safety For Capital One and AWS
Banks are understandably conservative about big technological changes. As the Journal reported, most “have moved cautiously to the cloud, partly because of security concerns and the need to keep certain customer and transaction data walled off.”
Based on what I’ve read, it looks like the hack was due mostly to the skills of AWS’s rogue former employee combined with lax security oversight by Capital One. Why did it take Capital One so long to discover that the customer information had been breached? Why was the firewall designed to protect the data improperly configured and for how long? And why did Capital One IT supervisors not catch the error sooner?
Sadly this is not the first time that Capital One has suffered a breach. According to the New York Times, in 2017 Capital One notified customers “that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history and Social Security numbers.” A similar breach at Capital One took place in 2014, according to the Times.
There are also questions for AWS. How many of their current and/or former employees are eager to use their knowledge of AWS — as Thompson allegedly did — to embarrass AWS by breaching customer data? Does AWS provide customers with any assurance against this risk? Will current or potential AWS customers look to other cloud services vendors who might offer better protection?
I have contacted Capital One and AWS for comment and will update this post if I receive responses.
David Friend, CEO of cloud services provider, Wasabi Technologies does not think this breach will cause much damage to AWS or Capital One. As he said in a July 30 interview, “[The breach will] probably not [inflict] much [reputational] damage on either [company]. Capital One got a bit of a black eye, but I don’t think most people blame Amazon even though it was their system that was hacked. Employee (or ex-employee) sabotage and hacking is tough to completely eliminate.”
Friend thinks the breach will be good for credit monitoring companies. As he said, “This was a very good day for the credit monitoring companies who are now going to get a lot of new subscribers, all paid for by Capital One.”