Thursday, September 12, 2019

Inside Job: Amazon.com Employee Stole Credit Data of 106 Million

Amazon.com is rotten to its core. This latest case of "employee gone bad" (https://heavy.com/news/2019/07/paige-adele-thompson/) is yet another example of the widespread patterns of misbehavior, misconduct and mismanagement by Amazon.com employees that have been ongoing for the better part of two decades. From alleged money laundering to racketeering to computer fraud, the culture of misconduct and malfeasance starts at the top with the win-at-any cost disruptor model espoused by Amazon.com executives. A few examples for reference:

Misconduct stemming from office of the CEO: In 2013, dozens of Amazon.com employees and the CEO's own wife were caught flooding Brad Stone's book, The Everything Store, with unfavorable reviews to keep the book from damaging the reputation of Amazon.com and its CEO. (http://readindies.blogspot.com/2016/08/amazons-blackened-soul.html)

Misconduct organized and ordered by executives: In 2018, at least 50 Amazon employees were caught creating fake accounts on Ebay and accused of multiple federal crimes, including criminal conspiracy, fraud and racketeering. (http://robertstanek.blogspot.com/2019/08/amazon-employees-caught-creating-fake-accounts.html)

Misconduct organized and ordered by executives: In 2019, Amazon.com was caught in a highly unethical and likely criminal pay-for-praise scheme involving several hundred employees. (http://robertstanek.blogspot.com/2019/08/amazon-caught-in-pay-for-praise-scheme.html)

Although the SEC, FTC and DOJ are all circling Amazon.com with possible intent to act, the federal crimes, misdeeds and abuses of Amazon.com executives and employees have so far carried on with impunity—more likely due to the deep (dare I say, cozy) relationships Amazon.com has with the Justice Department, U.S. Intelligence and hundreds of other government agencies than a lack of evidence. However, with the deepest secrets of our government, including the Sensitive, Secret and Top Secret information of the Justice Department (https://aws.amazon.com/stateandlocal/justice-and-public-safety/) , U.S. Intelligence (https://aws.amazon.com/federal/us-intelligence-community/)and more (https://aws.amazon.com/government-education/defense/), hosted on Amazon’s cloud servers, this latest case of "employee gone bad" is likely too hard to overlook.

To wit, the Amazon.com employee involved in the theft of the credit data of over 100 million people did so by using the knowledge gained working in Amazon’s Web Services division as a software engineer to hack into the data Capital One stored on Amazon’s servers. This data was stored in the Amazon Simple Storage Service, also referred to as Amazon S3, which is a service offered by Amazon Web Services to supposedly securely store the data of thousands of companies. Care to guess where many of the deepest secrets of the Justice Department, U.S. Intelligence and hundreds of other U.S. agencies are stored? Yep, Amazon S3.

While Capital One, like Amazon.com, largely downplayed the extent of the damage done in the data breach, the estimated dollar cost of the damages, as stated by Capital One itself, are telling: $100 to $150 million in damages. (https://www.inc.com/minda-zetlin/paige-thompson-capital-one-hack-former-amazon-engineer-social-security-numbers.html). Most troubling about all this? The (technically "former") Amazon.com employee involved used knowledge and skills gained from 2015 – 2016 to hack the Capital One data stored on Amazon’s S3 servers in 2019. This was an inside job. Amazon Web Services tactics, techniques and security surely should have changed considerably in 3 years—however, clearly they had not. Sort of like the lengthy Amazon Web Services S3 outage on February 28, 2017 that was so bad Amazon couldn’t even get into its own servers to warn anyone—a problem that occurred because of gross mismanagement involving Amazon Web Services procedures and tactics. Other examples of gross mismanagement? How about:

* the days’ long outage in April 2011 that Amazon didn’t make a public statement about for a week,

* the infamous Friday the 13th outage of September 2013 that left regional customers without service for several hours due to a simple load balancing misconfiguration,

* the lengthy Amazon Web Services S3 outage in November 2014 because of the failure of the AWS CloudFront DNS server,

*  or the 10-hour outage in June 2016 due to stormy weather that hit numerous prime websites and businesses.

As I stated previously, the culture of misconduct and malfeasance starts at the top of the company while the patterns of misbehavior, misconduct and mismanagement extend throughout the entire organization. More examples of mismanagement and failure of Amazon Web Services:

2017 - https://www.datacenterknowledge.com/archives/2017/03/02/aws-outage-that-broke-the-internet-caused-by-mistyped-command

2017 - https://www.datacenterknowledge.com/uptime/equinix-power-outage-one-reason-behind-aws-cloud-disruption

2015 - https://www.datacenterknowledge.com/archives/2015/09/24/heres-what-caused-sundays-amazon-cloud-outage

2015 - https://www.datacenterknowledge.com/archives/2015/09/21/amazon-data-center-outage-affects-netflix-heroku-others

2013 - https://www.datacenterknowledge.com/archives/2013/09/13/network-issues-cause-amazon-cloud-outage

2012 - https://www.datacenterknowledge.com/archives/2012/10/27/cascading-failures-caused-amazon-outage

2012 - https://www.datacenterknowledge.com/archives/2012/07/03/multiple-generator-failures-caused-amazon-outage

2012 - https://www.datacenterknowledge.com/archives/2012/06/30/amazon-data-center-loses-power-during-storm

2012 - https://www.datacenterknowledge.com/archives/2012/06/29/another-outage-amazon-cloud

2011 - https://www.datacenterknowledge.com/archives/2011/08/15/amazon-provides-more-details-on-dublin-outage

2011 - https://www.datacenterknowledge.com/archives/2011/04/29/amazon-networking-error-caused-cloud-outage

2011 - https://www.datacenterknowledge.com/archives/2011/04/21/major-amazon-outage-ripples-across-web

2010 - https://www.datacenterknowledge.com/archives/2010/12/13/amazon-hardware-failures-caused-outage

2009 - https://www.datacenterknowledge.com/archives/2009/07/19/outage-for-amazon-web-services

With this much going wrong and the regulatory hammer looming, is there any wonder why there is an outflow of executives, including Zumwalt, Blackburn, Wilson, Jain, and Chew for starters. In his new book, Talking to Strangers, Malcolm Gladwell talks about Harry Markopolos, the guy who gift-wrapped and delivered the Bernie Madoff ponzi scheme to the SEC. Much like the case of Amazon.com, federal regulators spent years ignoring Markopolos and what was plain to see before their eyes. They couldn’t be bothered to conduct a thorough and proper investigation. Like Harry Markopolos told Malcolm Gladwell: "the truth is in the math"; "people have too much faith in large organizations"; "the emperor has no clothes".

The truth of Amazon.com is in the math too—in the patterns of misconduct and malfeasance that start at the top of the company. Indeed, the emperor has no clothes, and that’s something I have said before as well.

Circling back, bottom line, this person worked for Amazon S3 as a software engineer, subsequently hacked Amazon S3 and did so using intimate first-hand knowledge gained while employed at Amazon S3. This intimate first-hand knowledge included information about possible vulnerabilities, how those vulnerabilities potentially could be exploited and exactly how Amazon S3 worked. As a former Amazon S3 software engineer, this person knew exactly what to do and where to go once she got into Amazon S3. So let's call this hack what it was: An inside job. If Amazon.com were a bank and a former teller knew the contents of the bank vault and then robbed safety deposit boxes 7, 17 and 73 of their contents, everyone would call this what it was: an inside job. Well, that’s exactly what happened. This was an inside job. This former employee knew exactly the vulnerabilities to look for, how they could be exploited and which deposit boxes to steal—and she learned it all while working at Amazon S3.

Thanks for reading, I’m William Robert Stanek, Microsoft’s #1 author for nearly 20 years, and author of over 250 topselling books.

--

Addendum: Interesting comments earlier on Facebook and in private regarding said employee's role at Amazon.

As explained in the article, this person was employed by Amazon as a software engineer for S3 from 2015-2016. The Capital One data was stolen from Amazon's S3 servers in 2019. This was done using insider knowledge and tactics gained while working for Amazon. Amazon and Capital One both have underplayed how damaging this whole thing was... though Capital One admits this is likely to cause the company $100 - $150 million in damages.


P.S> This case gets curiouser and curiouser when you dig below the surface. Basically, the "employee" did the crime then gift-wrapped herself for authorities by not only giving them a trail of breadcrumbs to follow but copping to the crime on social media. This ensured quick arrest and abrupt ends to certain internal investigations (and primarily at Amazon.com). Inquiring minds might want to hazard a few guesses why. Two obvious questions for starters: What else might have been uncovered with continued, deep investigation? Who else might have been uncovered? I’m sure the curious can discern others.

No comments:

Post a Comment