Capital One breach hangs over Fed's Amazon inspection

Dive Brief:

The Federal Reserve in April examined an Amazon.com facility in Virginia, paying special attention to the company's resiliency and backup systems, The Wall Street Journal reported. People familiar with the visit described it as the start of potentially ongoing oversight focused on cloud storage of banking data.
Tech companies have typically been reluctant to acquiesce to new oversight, arguing that they sell a cloud-based system, but it's the client's responsibility to run and secure it. After the April visit, federal representatives sought additional documents from Amazon. The company pushed back, demanding to know how the regulator would store and use Amazon's data, who would have access and for how long, the Journal reported.
Amazon Web Services' servers hold the data at issue in the Capital One breach publicized this week that put 106 million consumers' information at risk. Lawmakers and regulators have been vocal in their reaction. The House Oversight Committee ranking member, Rep. Jim Jordan, R-OH, on Thursday sent letters to the CEOs of Capital One and Amazon requesting staff-level briefings and seeking the companies' responses by Aug. 15. FDIC Chair Jelena McWilliams took the opportunity to remind banks that they could get fined over data breaches. Capital One is not subject to regulation by the FDIC, which, McWilliams noted, also has "limited ability" to examine third-party service providers.

Dive Insight:

At issue, considering both the data breach and Fed officials' visit of the Amazon facility, is where banks' responsibility ends and their vendors' begins. A U.S. Treasury report last year found that bank regulations hadn't "sufficiently modernized to accommodate cloud and other innovative technologies."

Several financial institutions and companies, including Goldman Sachs, Nasdaq and Stripe, store their data using Amazon. Others use servers from Microsoft, Google, or, to some extent, all three.

Amazon, which, according to Gartner research, controls almost half of the cloud market, is also among the frontrunners for an upcoming $10 billion cloud contract with the Defense Department. And Amazon Web Services now shoulders three-quarters of the tech giant’s profits, the Journal reported.

Financial regulators have made inquiries into bank vendors such as Fiserv in years past. But — as McWilliams noted — regulators have limited reach over nonbanks.

Lawmakers, for their part, have sought clarity on the issue. Rep. Maxine Waters, D-CA, the House Financial Services Committee chair, has organized a briefing on the Capital One data breach. Senate Banking Committee Chairman Mike Crapo, R-ID, said he plans legislation that would establish new data safeguards for consumers.

Paige Thompson, 33, a former employee of Amazon Web Services, was charged with computer fraud and abuse Monday in connection with the Capital One breach.