- Plaintiffs have the right to review the forensic analysis of the 2019 Capital One data breach, a judge with the U.S. District Court for the Eastern District of Virginia ruled last week, according to CyberScoop.
- Third-party cybersecurity firm Mandiant performed the bank's post-mortem investigation, for which it published a report in September. The breach, exposed in July, compromised the personal information of up to 106 million Capital One customers.
- Capital One opposed showing Mandiant's report to plaintiffs, according to the court document. The bank argued that its business agreement between with Mandiant makes the report a protected legal document. Capital One has 11 days to share the report with lawyers involved, according to the ruling.
Capital One's security flaw was rooted in a misconfigured web application firewall, similar to the flaw compromised in Equifax's 2017 breach. The WAF misconfiguration led to criticism around the company's reliance on Amazon Web Services' security.
The bank hired Mandiant in 2015 to perform "engagement activities, results and recommendations for remediation" in the event of a cyber incident, according to the court document. The bank updated their agreement in January 2019 to 285 hours of service.
Capital One extended its services "out of the retainer already provided to Mandiant under the Jan. 7, 2019, [statement of work]," according to the court document. But when the retainer was "exhausted," Capital One paid Mandiant using its cyber organization's funds. By December, the bank's legal department took on Mandiant's payments, redesignating the service's costs as legal fees.
While Capital One said Mandiant's report was confidential, the bank said it disclosed it to about 50 Capital One employees, four regulators and the accounting firm Ernst & Young. The bank does not state why, for business or legal purposes. The list of recipients did not include the bank's board of directors.
Lawsuits were filed against Capital One just days after disclosing its breach. The judge's decision to release Mandiant's report is an effort to eliminate "assertions of evidentiary privileges because they shield evidence from the truth-seeking process," according to the ruling.
Capital One performed an internal investigation, led by then-interim Chief Information Security Officer Mike Eason and a manager from its incident management team. That analysis ran "parallel" to Mandiant's, according to the document.
The bank's CISO during the time of breach, Michael Johnson, was removed from the role in November and reassigned as an adviser for the investigation. In April, Capital One hired Chris Betz as CISO, followed by former Goldman Sachs CISO Andy Ozment, to oversee technology risk.