AWS arguably shares some of the blame
Cloudflare's Evan Johnson has a good explanation of what Capital One did wrong, and is of the opinion that this kind of problem is difficult to detect and prevent, and that AWS doesn't do enough to help customers secure their systems against it.
It's interesting to note that the underlying issue was an SSRF vulnerability in a security component - the WAF module. So the Capital One admins had gone to some effort to secure their site using well-known mechanisms, but missed an inobvious vulnerability in a firewall configuration. This is rather different to, say, the Suprema breach, which was straightforward incompetence on the part of the admins; or the now-commonplace "we didn't secure our S3 buckets" failure mode.
Biting the hand that feeds IT
