Access Management , Breach Notification , Forensics
Capital One Must Turn Over Mandiant's Forensics ReportData Breach Class Action Lawsuit Plaintiffs Have Been Seeking the Findings
A federal judge has ordered Capital One to turn over the results of a digital forensics investigation into its 2019 data breach. Plaintiffs in a class action lawsuit have been seeking release of the forensics report.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The report, if it becomes public, could provide further insight into what went wrong in one of the most significant breaches of a financial institution in history.
A former Amazon Web Services engineer, Paige A. Thompson, has been charged with stealing 106 million Capital One credit card records and personal data belonging to customers in the U.S. and Canada. The Department of Justice has also accused her of compromising more than 30 other companies.
Capital One had sought to prevent disclosure of the digital forensics report into the mega-breach. The financial giant argued that the report was protected under the work product doctrine, under which certain kinds of material prepared for litigation are protected from disclosure.
But U.S. Magistrate Judge John F. Anderson this week ruled that Capital One did not show that the document was entitled to such protection. Anderson made the ruling as part of an ongoing case in the U.S. District Court for the Eastern District of Virginia.
Capital One has had a standing arrangement with FireEye’s Mandiant forensics unit since 2015, Anderson writes. In early 2019, Capital One paid Mandiant a retainer that it classified as a business rather than legal expense, he notes.
“Capital One has not presented sufficient evidence to show that the incident response service performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation,” Anderson writes.
Capital One officials couldn’t be immediately reached for comment.
Web Application Firewall Questions
Capital One’s data breach prompted widespread concern because the financial institution reportedly had some of the latest security technology in place to protect its business, including its use of cloud services.
Its breach first came to light publicly in late July 2019 when Thompson, who resides in the Seattle area, was arrested. She stands accused of accessing Capital One’s records, which were stored on Amazon’s Simple Storage Service - aka S3 - between March and July of that year.
Thompson's arrest followed her allegedly posting information about the breach on the code-sharing site GitHub as well as on social media.
Thompson, who at one time worked on S3 for Amazon, allegedly obtained the credentials for an administrator account for a web application firewall, according to an FBI affidavit. Using those credentials, she was allegedly able to list the folders and buckets for the Capital One data. Then she allegedly was able to copy the data, which was possible potentially because the WAF had been misconfigured.
Prosecutors say the stolen data included credit card applications, some of which dates back to 2005. The personal data includes names, addresses, birth dates, credit histories, balances and payment histories.
Plaintiffs in the U.S. have filed more than 60 class action lawsuits over the breach. Those have now been consolidated into one case, which will be heard in U.S. District Court for the Eastern District of Virginia. A class action lawsuit also is pending in Canada (see: Capital One Data Breach Spurs More Lawsuits).
Capital One has until June 7 to turn over the Mandiant report. If the document, or portions of the document, become public, it could shed new light on how Capital One failed to stop the breach.
Some experts have suggested that Capital One fell victim to a server side request forgery attack, or SSRF (see: Capital One: Where Did the Bank Fail on Defense?).
An SSRF attack involves tricking a server into accessing a resource it shouldn't be allowed to touch, on behalf of the attacker. It can result in an attacker being able to gain credentials. In Capital One’s case, a successful SSRF attack could have resulted in an attacker accessing working credentials for a WAF role via Amazon’s metadata service, which supplies identity and access management credentials.
Thompson is scheduled to face trial later this year. She has been released from prison and is allowed to stay in a halfway house on the condition that she wear a location-tracking device and not access the internet (see: Alleged Capital One Hacker Released From Prison).