• 05 December, 2025
• No Comments

The Global Impact of a 16-Hour AWS Outage That Shook the Internet

In a world where digital infrastructure powers everything from financial transactions to communication platforms, the line between system failure and cyber attack is increasingly blurred. This was made strikingly evident when Amazon Web Services (AWS) suffered a 16-hour global outage on 20 October 2025, disrupting a vast range of services, including Zoom, Canva, Snapchat, and online games such as Roblox and Fortnite.

The incident, which began in AWS’s US-East-1 region, reverberated across continents. Thousands of users in Singapore reported service disruptions through Downdetector, as major enterprises and consumers alike faced hours of downtime. While AWS attributed the issue to domain name system (DNS) resolution problems, the lack of a detailed explanation sparked widespread debate about the fragility of modern cloud ecosystems and their resemblance to the consequences of a coordinated cyber attack..

When outages mimic cyber attacks

When a global cloud provider like Amazon experiences downtime lasting more than half a day, the effect is indistinguishable from a major cyber incident. Critical systems slow or halt entirely, business operations are paralysed, and public confidence in digital reliability takes a hit.

As Darren Guccione, CEO of Keeper Security, pointed out, “Whether through technical failure or misconfiguration, the impact on global operations can be just as severe as a coordinated cyber attack.” That sentiment underscores a growing reality: operational resilience and cybersecurity resilience are now interlinked. A glitch in DNS infrastructure can have cascading consequences comparable to a ransomware campaign or distributed denial-of-service (DDoS) attack.

In AWS’s case, the disruption was compounded by a backlog of internet traffic requests and secondary impairments in internal monitoring subsystems. Even after the DNS issue was resolved, system restoration was delayed by the overwhelming volume of queued processes. This sequence of technical failures revealed a fundamental truth: the digital world’s dependency on a handful of centralised service providers has created a single point of systemic vulnerability.

Overreliance on legacy systems in a cloud-first world

Experts from global research firm Forrester warned that AWS’s prolonged downtime exposed a broader problem: an overreliance on outdated internet infrastructure such as DNS, which was never designed to handle the demands of modern cloud-scale computing. As Brent Ellis, Forrester’s principal analyst, explained, “It’s a feature of a highly concentrated risk, where even small service outages can ripple through the global economy.”

The incident mirrors challenges seen in other large-scale disruptions. In July 2024, a faulty software update from CrowdStrike rendered about 8.5 million Windows devices inoperable worldwide, halting flights, hospital operations, and banking services. Similarly, in October 2023, more than 2.5 million ATM and payment transactions in Singapore failed due to a cooling system fault at an Equinix data centre used by major banks like DBS and Citibank.

Each event reinforces the same lesson: technology fragility can be just as dangerous as deliberate intrusion. When systems are architected around legacy protocols or centralised dependencies, their ability to recover swiftly from disruption, whether caused by cyber threat or technical breakdown, is drastically reduced.

The economics of downtime and resilience

The financial and reputational impact of such outages is enormous. A 2024 report by Uptime Institute estimated that 70 per cent of businesses experiencing major IT outages incurred direct costs exceeding US$100,000, with nearly one in ten reporting losses above US$1 million. In cloud-reliant economies like Singapore’s, where digital services underpin commerce, banking, and logistics, even temporary downtime can reverberate through the national economy.

When cloud giants such as AWS, Microsoft Azure, or Google Cloud experience technical failures, the consequences cascade through their customers’ supply chains. Businesses with operations, data storage, and communications tied to a single region or provider face near-instant paralysis. Such concentration risk is now viewed as a critical threat to national digital resilience.

Recognising this, Singapore’s government is preparing to table the Digital Infrastructure Act, which aims to hold cloud and data centre operators to higher security and resilience standards. The legislation seeks to safeguard vital systems like banking and telecommunications from both cyber and non-cyber disruptions. It is a proactive step toward acknowledging that digital infrastructure is critical infrastructure and should be regulated as such.

The thin line between disruption and attack

While AWS has yet to disclose the root cause of its October outage, the incident’s scale prompted speculation about whether cyber actors could have exploited similar weaknesses. The DNS layer, in particular, has long been a popular target for attackers because of its central role in connecting users to online services.

If malicious actors had been responsible, the outcome might have looked almost identical: prolonged downtime, delayed mitigation, and massive operational fallout. That is precisely why experts urge organisations to treat resilience not as an afterthought but as an integral part of cybersecurity strategy. Whether an outage is triggered by faulty software, human error, or hostile intent, the inability to respond rapidly yields the same result: operational disruption.

As cyberattacks increasingly target cloud supply chains, distinguishing between technical failure and deliberate attack becomes less relevant than ensuring continuity. Preparedness is the new perimeter, and resilience has become the defining measure of digital maturity.

The new conversation: shared responsibility in the cloud era

One of the most significant lessons from the AWS outage is the need for shared accountability. Cloud providers operate under a “shared responsibility model,” meaning that while they maintain the infrastructure, customers are responsible for securing their own data and configurations. However, few organisations fully appreciate the operational risks that stem from over-reliance on third-party platforms.

Enterprises must therefore diversify their cloud strategies, adopt rigorous third-party risk management frameworks, and continuously test their systems’ fault tolerance. The notion of “one cloud fits all” is fast becoming untenable. Hybrid and multi-cloud models, where workloads are distributed across multiple providers, are gaining traction as a way to reduce single-point dependency.

But resilience also depends on preparedness at the organisational level. Incident response plans must include contingencies for both cyber attacks and infrastructure failures. This is especially true for sectors managing sensitive data, such as finance, healthcare, and government operations.

Privacy Ninja: building resilience through proactive testing and governance

As incidents like the AWS outage demonstrate, resilience and cybersecurity cannot be separated. They are two sides of the same coin, one focusing on prevention, the other on recovery. At Privacy Ninja, we help organisations strengthen both.

Our Vulnerability Assessment and Penetration Testing (VAPT) services simulate real-world attack scenarios to identify weaknesses in infrastructure, applications, and cloud environments before adversaries or technical errors exploit them. We also provide Data Breach Management support to ensure rapid containment, investigation, and recovery when incidents occur.

Through our DPO-as-a-Service offering, we guide companies in meeting Singapore’s Personal Data Protection Act (PDPA) obligations and maintaining operational compliance. For organisations operating in cloud-heavy or blockchain-integrated ecosystems, our Smart Contract Audit service ensures that vulnerabilities in decentralised applications are discovered early and remediated effectively.

By combining ethical hacking expertise with governance and compliance insight, Privacy Ninja helps businesses prepare for the unexpected: whether that’s a cyberattack or a system outage. We empower organisations to go beyond mere recovery and achieve lasting cyber resilience in a rapidly evolving digital world.