- Plaintiffs have the right to review the forensic analysis of its data breach, a judge ruled from the U.S. District Court for the Eastern District of Virginia, first reported by CyberScoop.
- Third-party cybersecurity firm Mandiant performed the bank's post-mortem investigation for its data breach announced in July. Mandiant published the report on Sept. 4, 2019.
- Capital One opposed showing Mandiant's report up to plaintiffs, according to the court document. Capital One argued because of the business agreement between the bank and Mandiant, it's a protected legal document. Capital One has 11 days to share the report with lawyers involved, according to the ruling.
Capital One's data breach impacted more than 100 million customers. The bank's security flaw was rooted in a misconfigured web application firewall, similar to the flaw compromised in Equifax's 2017 data breach. The WAF misconfiguration led to criticism around the company's reliance on AWS' security.
The bank hired Mandiant in 2015 to perform "engagement activities, results and recommendations for remediation" in the event of a cyber incident, according to the court document. The bank updated their agreement in January 2019 to 285 hours of service.
Capital One extended its services "out of the retainer already provided to Mandiant under the Jan. 7, 2019 [statement of work]," according to the court document. But when the retainer was "exhausted," Capital One paid Mandiant using its cyber organization's funds. By December, the bank's legal department took on Mandiant's payments, redesignating the service's costs as legal fees.
While Capital One said Mandiant's report was confidential, the bank said it disclosed it to about 50 Capital One employees, four regulators, and Ernest & Young. The bank does not state why, for either business or legal purposes. The bank's list of recipients did not include its board of directors.
Lawsuits were filed against Capital One just days after disclosing its breach. The judge's decision to release of Mandiant's report is an effort to eliminate "assertions of evidentiary privileges because they shield evidence from the truth-seeking process," according to the ruling.
Capital One performed an internal investigation, led by the interim CISO Mike Eason and a manager from its incident management team. The separate analysis ran "parallel" to Mandiant's, according to the document.
The bank's CISO during the time of breach, Michael Johnson, was removed from the role in November and reassigned as an advisor for the investigation. In April, Capital One hired Chris Betz as CISO, followed by former Goldman Sachs CISO Andy Ozment to oversee technology risk.