When we recently wrote about Capital One’s communications around its massive data breach, we mentioned only in passing that Amazon Web Services, which hosted the bank’s data, issued its own statement denying culpability. Now, it seems, Amazon — and its crisis communications — are getting more attention.

In a recent blog post, John Reed Stark, a cybersecurity consultant and former chief of the U.S. Security and Exchange Commission’s Office of Internet Enforcement, explored the question of whether, despite its denials, Amazon might be at least partly liable for the breach. Along the way, Stark raises some interesting issues, including communications issues.

Capital One, the fifth-biggest U.S. credit-card issuer, announced the breach July 29. The intrusion involved information on 106 million U.S. and Canadian credit-card customers and applicants, making it one of the worst data breaches at a bank. Capital One, based in McLean, Virginia, had confirmed the intrusion July 19.

The alleged perpetrator, a former Amazon Web Services employee, has been arrested and charged. “AWS was not compromised in any way and functioned as designed,” Seattle-based Amazon said in its statement. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure.” (Capital One said it was able to “immediately fix” the problem.)

Stark called Amazon’s announcement “immediate, unqualified, unapologetic, and absolute.”

Maybe too much so.

“In the complex world of data breaches, the AWS announcement seems surprisingly bold,” Stark wrote. “How could AWS be so sure so soon of its blamelessness?” He added that the denial “seems self-serving and lacks credibility” and “seems more befitting a glowing promotional advertisement than a cautious liability pronouncement.”

Rash Denial

Stark points to several issues concerning why the denial may have been rash. At the time (and still), the FBI hadn’t released any major details about the breach and Amazon didn’t say it had conducted any major probe (with or without an independent third party). In addition, in a data breach, it’s often unclear, especially early on, who’s responsible. We made that last point in a recent post on a new book about breaches.

Another issue is the former employment status of the alleged perpetrator, Paige A. Thompson. It’s unclear how much her having worked for Amazon Web Services gave her insight into how to conduct the breach, whether she planned the breach while there, and whether Amazon knew about that.

Stark says Amazon may be right and it’s as innocent as a lamb emoji, but he explores why that may also not be so. Most importantly, according to Stark, Amazon Web Services was known to be vulnerable to the type of attack believed to be responsible.

He clearly thinks one reason Amazon was so bold in its response is its cozy relationship with Capital One (“an almost eerie entanglement”). He notes the bank came to Amazon’s defense in its own statement. It credited its rental of cloud space as contributing to the speed with which it was able to diagnose and fix the problem. Stark even calls for the Capital One board to be more involved — “to find out what really happened” — given that coziness.

“AWS’s categorical denial, while definitive and brazen, will do little to ward off public scrutiny and skepticism of its culpability,” Stark writes.

Indeed: Amazon was named a defendant in a class action over the breach filed August 5.

Image Credit: Amazon

This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at info@crisisresponsepro.com.