Skip to main content
close search
site logo
Dive Brief

Capital One ordered to disclose third-party analysis of 2019 breach

Published June 1, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Nathan Dumlao

First published on

CIO Dive

Dive Brief:

  • Plaintiffs have the right to review the forensic analysis of the 2019 Capital One data breach, a judge with the U.S. District Court for the Eastern District of Virginia ruled last week, according to CyberScoop
  • Third-party cybersecurity firm Mandiant​ performed the bank's post-mortem investigation, for which it published a report in September. The breach, exposed in July, compromised the personal information of up to 106 million Capital One customers
  • Capital One opposed showing Mandiant's report to plaintiffs, according to the court document. The bank argued that its business agreement between with Mandiant makes the report a protected legal document. Capital One has 11 days to share the report with lawyers involved, according to the ruling. 

Dive Insight:

Capital One's security flaw was rooted in a misconfigured web application firewall, similar to the flaw compromised in Equifax's 2017 breachThe WAF misconfiguration led to criticism around the company's reliance on Amazon Web Services' security. ​

The bank hired Mandiant in 2015 to perform "engagement activities, results and recommendations for remediation"​ in the event of a cyber incident, according to the court document. The bank updated their agreement in January 2019 to 285 hours of service. 

Capital One extended its services "out of the retainer already provided to Mandiant under the Jan. 7, 2019, [statement of work]," according to the court document. But when the retainer was "exhausted," Capital One paid Mandiant using its cyber organization's funds. By December, the bank's legal department took on Mandiant's payments, redesignating the service's costs as legal fees. 

While Capital One said Mandiant's report was confidential, the bank said it disclosed it to about 50 Capital One employees, four regulators and the accounting firm Ernst & Young. The bank does not state why, for business or legal purposes. The list of recipients did not include the bank's board of directors. 

Lawsuits were filed against Capital One just days after disclosing its breach. The judge's decision to release Mandiant's report is an effort to eliminate "assertions of evidentiary privileges because they shield evidence from the truth-seeking process," according to the ruling. 

Capital One performed an internal investigation, led by then-interim Chief Information Security Officer Mike Eason and a manager from its incident management team. That analysis ran "parallel" to Mandiant's, according to the document.

The bank's CISO during the time of breach, Michael Johnson, was removed from the role in November and reassigned as an adviser for the investigation. In April, Capital One hired Chris Betz as CISO, followed by former Goldman Sachs CISO Andy Ozment, to oversee technology risk. 

Recommended Reading

Filed Under: Technology, Risk

Editors' picks

  • The exterior of Five Star Bank's Rancho Cordova office building is shown, with "Five Star Bank" in white letters at the top left of the building exterior.
    Image attribution tooltip
    Permission granted by Smriti Shakargaye
    Image attribution tooltip

    Five Star Bank bets on its California roots in Bay Area move

    The Sacramento-area lender found San Francisco a tough market to crack. But when East Coast banks swooped in and former First Republic customers grew disenchanted, Five Star hatched a strategy.

    By Caitlin Mullen • Aug. 27, 2024
  • Woman stands under TD Bank sign.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    TD hit with asset cap, $3B in penalties over AML woes

    The bank will pay $1.8 billion to the Justice Department, $1.3 billion to FinCEN, and growth will be restricted in the bank’s U.S. retail unit.

    By Dan Ennis and Gabrielle Saulsbery • Oct. 10, 2024

Company Announcements

View all | Post a press release
interface.ai Reinforces AI Leadership in Financial Services with Industry-Unique Device Biomet…
From Jordan Mitchell
November 21, 2024
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
  • The exterior of Five Star Bank's Rancho Cordova office building is shown, with "Five Star Bank" in white letters at the top left of the building exterior.
    Image attribution tooltip
    Permission granted by Smriti Shakargaye
    Image attribution tooltip

    Five Star Bank bets on its California roots in Bay Area move

    The Sacramento-area lender found San Francisco a tough market to crack. But when East Coast banks swooped in and former First Republic customers grew disenchanted, Five Star hatched a strategy.

    By Caitlin Mullen • Aug. 27, 2024
  • Woman stands under TD Bank sign.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    TD hit with asset cap, $3B in penalties over AML woes

    The bank will pay $1.8 billion to the Justice Department, $1.3 billion to FinCEN, and growth will be restricted in the bank’s U.S. retail unit.

    By Dan Ennis and Gabrielle Saulsbery • Oct. 10, 2024
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell