You’d be hard-pressed to find a company more committed to using the so-called public cloud than Capital One. America’s seventh-biggest bank by revenue has spent years winding down its data centers—from eight in 2014 to zero planned by the end of 2020—and relying on the on-tap resources of Amazon Web Services for computing and data storage. But now, in the wake of a data breach affecting 106 million North Americans, people are questioning whether Capital One represents a cybersecurity cautionary tale.
To burrow inside Capital One’s systems, a hacker supposedly exploited a “misconfigured firewall.” Basically, the thief snuck in an open door. Both Capital One and Amazon stressed that “this type of vulnerability is not specific to the cloud.”
Yet some experts, such as Evan Johnson, a security manager at startup Cloudflare, say AWS’s technical setup made the breach “much worse.” AWS is particularly susceptible to “server side request forgery,” Johnson says, in which a hacker tricks a server into connecting where it shouldn’t, enabling data theft. Better mitigations ought to be in place, he says.
Despite the criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”
Ed Amoroso, ex–chief security officer for AT&T, agrees that for most businesses, off-loading infrastructure to the cloud remains safer than managing one’s own: “You have to compare not against ‘perfect’ but against ‘on premises.’ ”
A version of this article appears in the September 2019 issue of Fortune with the headline "Capital Offense."
More must-read stories from Fortune:
—Fortune Change the World 2019: See which companies made the list
—Corporate America’s most fascinating standoff: The accountant who exposed Madoff vs. GE
—America’s CEOs seek a new purpose for the corporation
—How the world’s biggest companies stay ahead
—What the world’s biggest motorcycle rally reveals about the state of festival food
Subscribe to Fortune’s CEO Daily newsletter for the latest business news and analysis.