Skip to main content
close search
site logo
Dive Brief

Capital One ordered to disclose third-party analysis of 2019 breach

Published June 1, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Nathan Dumlao

Dive Brief:

  • Plaintiffs have the right to review the forensic analysis of its data breach, a judge ruled from the U.S. District Court for the Eastern District of Virginia, first reported by CyberScoop
  • Third-party cybersecurity firm Mandiant​ performed the bank's post-mortem investigation for its data breach announced in July. Mandiant published the report on Sept. 4, 2019. 
  • Capital One opposed showing Mandiant's report up to plaintiffs, according to the court document. Capital One argued because of the business agreement between the bank and Mandiant, it's a protected legal document. Capital One has 11 days to share the report with lawyers involved, according to the ruling. 

Dive Insight:

Capital One's data breach impacted more than 100 million customers. The bank's security flaw was rooted in a misconfigured web application firewall, similar to the flaw compromised in Equifax's 2017 data breach. The WAF misconfiguration led to criticism around the company's reliance on AWS' security. ​

The bank hired Mandiant in 2015 to perform "engagement activities, results and recommendations for remediation"​ in the event of a cyber incident, according to the court document. The bank updated their agreement in January 2019 to 285 hours of service. 

Capital One extended its services "out of the retainer already provided to Mandiant under the Jan. 7, 2019 [statement of work]," according to the court document. But when the retainer was "exhausted," Capital One paid Mandiant using its cyber organization's funds. By December, the bank's legal department took on Mandiant's payments, redesignating the service's costs as legal fees. 

While Capital One said Mandiant's report was confidential, the bank said it disclosed it to about 50 Capital One employees, four regulators, and Ernest & Young. The bank does not state why, for either business or legal purposes. The bank's list of recipients did not include its board of directors. 

Lawsuits were filed against Capital One just days after disclosing its breach. The judge's decision to release of Mandiant's report is an effort to eliminate "assertions of evidentiary privileges because they shield evidence from the truth-seeking process," according to the ruling. 

Capital One performed an internal investigation, led by the interim CISO Mike Eason and a manager from its incident management team. The separate analysis ran "parallel" to Mandiant's, according to the document.

The bank's CISO during the time of breach, Michael Johnson, was removed from the role in November and reassigned as an advisor for the investigation. In April, Capital One hired Chris Betz as CISO, followed by former Goldman Sachs CISO Andy Ozment to oversee technology risk. 

Recommended Reading

Filed Under: Cloud, Security

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Editors' picks
Latest in Cloud
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell