As Dark Reading reported recently, insurers have sued Trustwave for a whopping $30 million for its 2008 Heartland data breach. Amazing to think that the massive Heartland Payment Systems data breach happened in 2008.
Insurance firms Lexington Insurance Co., of Massachusetts, and Beazley Insurance Co., of Connecticut, filed suit in the Circuit Court of Cook County, Illinois on June 28th claiming professional malpractice by security firm Trustwave Holdings Inc. in the 2008 data breach of Heartland that led to the insurers paying some $30 million in claims. Trustwave had certified the company as PCI DSS-compliant prior to the attack.
The lawsuit followed a Trustwave court filing on June 22nd in Delaware that petitioned the court to rule the insurers' demands moot due to statute of limitations on the case, and that Trustwave did not breach its audit contract with Heartland. Trustwave filed the case after the insurers sent the firm a letter demanding payment for insurance it paid out related to the breach. Lexington and Beazley upped the ante by taking the suit to court in Illinois.
"The insurers' spurious demand related to a decade-old breach is entirely without merit. Trustwave initiated this lawsuit in order to obtain a judgment accordingly and intends to pursue this matter vigorously," Trustwave said in a statement provided to Dark Reading.
Trustwave also said its PCI assessment isn't the equivalent of managing security for Heartland.
Trustwave's PCI DSS assessment of Heartland was no guarantee that the company had not been or would not breached, according to Trustwave. "Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame or make any claim against Trustwave," the company said.
Lexington and Beazley's lawsuit claims Trustwave was responsible for the breach at Heartland and that the security firm had handled PCI DSS assessments, vulnerability scans, and compliance testing services for the payment processor starting in 2005, according to a report by The Cook County Record. The complaint claims the 2009 breach is connected to the SQL injection attack that began on July 24, 2007, on Heartland's system and harvested magnetic stripe data. Malware was planted on May 14, 2008, the suit said, and Trustwave's testing didn't detect it, the report noted.
Trustwave certified Heartland as PCI DSS-compliant in 2007 and 2008 after its audits. Visa conducted its own investigation of the PCI DSS certification and found multiple PCI DSS violations. In 2015, most of the breach litigation was settled. Lexington paid $20 million in insurance reimbursements, while Beazley paid $10 million.
Andrew Hay, co-founder and CTO of Leo Cyber Security, says the lawsuit against Trustwave is bad news for security companies.
"I think this sets a very dangerous precedent for security companies providing services. The customer does, and should, have an expectation of protection as a result of deploying mitigating controls. What's missing in the vendor space, however, are strict rules of engagement related to the proper deployment, management, and monitoring of said controls – both technical and documentation/program," he says. "It's one thing to deploy a tool to address an issue, but it's an entirely different challenge to operationalize the control from a program perspective." He further said that security vendors can't guarantee their products or services are a cure, but instead should position their offerings as a way to help lessen the blow of threats if they are properly deployed, for instance.
I certainly agree with that. Our contracts always note that there is no guarantee that security services can insulate anyone against a breach. With threats and attack surfaces changing all the time, such a guarantee would make no sense. But this case will be closely watched – and no doubt many security vendors will take a look at upping their cyber insurance.
Heartland's hack exposed130 million US debit and credit card accounts – the largest breach ever recorded at the time. The incident, first made public in January 2009, led the company to up its security posture with end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology.
Hat tip to Dave Ries.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology