...
I think that they should start by attaching executive-level penalties like those of the Sarbanes-Oxley Act, that was created out of the Enron debacle: CEOs and CFOs (and add CTOs) should be personally held responsible (and thrown in jail for) not doing enough to prevent data hacking, and given jail sentences when it happens.
...
...
It’s absolute bullshit, and executives should go to prison for it: that’ll clean it up right quick.
In this case, which CEO? Capital One? or Amazon AWS? or Both?
(I am inferring that the "cloud computing company that isn’t identified" in the first quoted paragraph from Bloomberg
[1] as AWS. In the second quoted paragraph, an AWS spokesman confirmed the data was on their server. What is not confirmed is if it was stolen FROM their server and who did the bad firewall configuration. After all, it is possible for the data to be stolen en-route to the AWS server before AWS has anything to do with it)
That leads to the firewall - In the Forbes' article
[2], they are not pointing the finger at AWS, but on the firewall. But what kind?
A real or virtual one inside the AWS for Capital One -or- perhaps a virtual firewall inside AWS servers dedicated to Capital one -or- a firewall inside Capital One's own facilities for AWS and other outgoing connections?
Unless it turns out this is a firewall that has nothing to do with AWS, you can even argue this breach is a "cloud enabled breach". The data was on the cloud (AWS) or on the way to the cloud, the stolen data list was on a cloud (Microsoft GitHub).
This cloud thing is a mess - everyone has some responsibility and thus everyone has some fault. This case, if it becomes a legal case, may clear up a some of the unknowns regarding liability/legal issues.
------------- References/Links
[1] From Bloomberg article: "Tipster’s Email Led to Arrest in Massive Capital One Breach""... ...
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.
The Capital One data had been
stored on servers it contracted from a cloud computing company that isn’t identified, though the charges against Thompson refer to
information stored on S3, a reference to Amazon Web Services’ popular data storage software.
...
...
An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was allegedly stolen, and said it wasn’t accessed through a breach or vulnerability in its systems.
...
...
Capital One has been one of the most vocal advocates for using cloud services among banks.
...
...
“We have embraced the public cloud and are well on our way to migrating our applications and data to the cloud,” Chief Executive Officer Richard Fairbank told analysts on a conference call in April. “We are now considered one of the most cloud forward companies in the world.”
...
..."
Original Bloomberg Article:https://www.bloomberg.com/news/articles/2019-07-30/tipster-s-email-led-to-arrest-in-massive-capital-one-data-breach [2] From Forbes article: "Will Capital One's 106M Name Data Breach Cut Into AWS's Growth?""... ... ... Capital One said that the breach was not the fault of AWS. Instead, Capital One had “improperly configured a firewall” — a problem that Capital One fixed when the company discovered it, according to Bloomberg. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”... ... ... "
Link: https://www.forbes.com/sites/petercohan/2019/07/30/will-capital-ones-106m-name-data-breach-cut-into-awss-growth/