Access Management , Breach Notification , Forensics

Capital One Must Turn Over Mandiant's Forensics Report

Data Breach Class Action Lawsuit Plaintiffs Have Been Seeking the Findings
Capital One Must Turn Over Mandiant's Forensics Report

A federal judge has ordered Capital One to turn over the results of a digital forensics investigation into its 2019 data breach. Plaintiffs in a class action lawsuit have been seeking release of the forensics report.

See Also: Live Webinar | Taking the Challenges Out of Identity Security

The report, if it becomes public, could provide further insight into what went wrong in one of the most significant breaches of a financial institution in history.

A former Amazon Web Services engineer, Paige A. Thompson, has been charged with stealing 106 million Capital One credit card records and personal data belonging to customers in the U.S. and Canada. The Department of Justice has also accused her of compromising more than 30 other companies.

Capital One had sought to prevent disclosure of the digital forensics report into the mega-breach. The financial giant argued that the report was protected under the work product doctrine, under which certain kinds of material prepared for litigation are protected from disclosure.

Judge John F. Anderson's ruling

But U.S. Magistrate Judge John F. Anderson this week ruled that Capital One did not show that the document was entitled to such protection. Anderson made the ruling as part of an ongoing case in the U.S. District Court for the Eastern District of Virginia.

Capital One has had a standing arrangement with FireEye’s Mandiant forensics unit since 2015, Anderson writes. In early 2019, Capital One paid Mandiant a retainer that it classified as a business rather than legal expense, he notes.

“Capital One has not presented sufficient evidence to show that the incident response service performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation,” Anderson writes.

Capital One officials couldn’t be immediately reached for comment.

Web Application Firewall Questions

Capital One’s data breach prompted widespread concern because the financial institution reportedly had some of the latest security technology in place to protect its business, including its use of cloud services.

Its breach first came to light publicly in late July 2019 when Thompson, who resides in the Seattle area, was arrested. She stands accused of accessing Capital One’s records, which were stored on Amazon’s Simple Storage Service - aka S3 - between March and July of that year.

Thompson's arrest followed her allegedly posting information about the breach on the code-sharing site GitHub as well as on social media.

Thompson, who at one time worked on S3 for Amazon, allegedly obtained the credentials for an administrator account for a web application firewall, according to an FBI affidavit. Using those credentials, she was allegedly able to list the folders and buckets for the Capital One data. Then she allegedly was able to copy the data, which was possible potentially because the WAF had been misconfigured.

The criminal complaint against Thompson describes how she allegedly accessed Capital One's systems.

Prosecutors say the stolen data included credit card applications, some of which dates back to 2005. The personal data includes names, addresses, birth dates, credit histories, balances and payment histories.

Lawsuits Pending

Plaintiffs in the U.S. have filed more than 60 class action lawsuits over the breach. Those have now been consolidated into one case, which will be heard in U.S. District Court for the Eastern District of Virginia. A class action lawsuit also is pending in Canada (see: Capital One Data Breach Spurs More Lawsuits).

Capital One has until June 7 to turn over the Mandiant report. If the document, or portions of the document, become public, it could shed new light on how Capital One failed to stop the breach.

Some experts have suggested that Capital One fell victim to a server side request forgery attack, or SSRF (see: Capital One: Where Did the Bank Fail on Defense?).

An SSRF attack involves tricking a server into accessing a resource it shouldn't be allowed to touch, on behalf of the attacker. It can result in an attacker being able to gain credentials. In Capital One’s case, a successful SSRF attack could have resulted in an attacker accessing working credentials for a WAF role via Amazon’s metadata service, which supplies identity and access management credentials.

Thompson is scheduled to face trial later this year. She has been released from prison and is allowed to stay in a halfway house on the condition that she wear a location-tracking device and not access the internet (see: Alleged Capital One Hacker Released From Prison).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.