Judge demands Capital One release Mandiant cyberforensic report on data breach

May 29, 2020

A judge has ruled that Capital One must release the forensic report prepared by Mandiant following a data breach, of which the company is now being sued over.

On Tuesday, Judge John Anderson from the US District Court for the Eastern District of Virginia ruled that Capital One is required to provide a copy of the report to attorneys suing the firm on behalf of customers impacted by the breach.

The US financial giant suffered a data breach in 2018, disclosed a year later. Roughly 100 million US citizens and 6 million Candian citizens were impacted through the compromise of personally identifiable information (PII) gathered by Capital One in relation to credit card applications.

Records from between 2015 and 2019 were accessed, including applicant names, addresses, phone numbers, email addresses, dates of birth, self-reported incomes, and some ‘fragmented’ information including credit scores and transaction data.

A “configuration vulnerability” was exploited by the cyberattacker, of which former AWS engineer Paige Thompson is accused. Following the arrest and a search of the suspect’s home, evidence obtained has led US prosecutors to believe over 30 more companies may have also had their data stolen by the same individual.

Capital One formed a contract with Mandiant, FireEye’s cyberforensics arm, in 2015 to provide security incident support “in the event such services were necessary” according to court documents, as reported by Cyberscoop.

CNET: Clearview AI faces lawsuit over gathering people’s images without consent

The retainer entitled the bank to up to 285 hours of service from Mandiant. Following the data breach, the cyberforensics firm was engaged in “services and advice concerning computer security incident response; digital forensics, log, and malware analysis; and incident remediation.”

As Mandiant worked on the incident, class-action lawsuits sprung up in their droves on behalf of the millions of customers embroiled in the security incident. Over 60 cases were consolidated and attorneys requested access to Mandiant’s findings, issued on September 4, 2019.

Capital One attempted to argue the work was the result of a business agreement and was protected as a “legal document.”

TechRepublic: Google, Microsoft most spoofed brands in latest phishing attacks

However, the court did not agree, saying that the argument is “unpersuasive” and a copy of the report must be provided within 11 days.

In other security news this week, Japanese telecoms giant NTT disclosed a data breach that took place on May 7. According to the company, cyberattackers were able to obtain access to internal networks and steal information belonging to 621 customers.