Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client's network for months, an issue that led to one of the biggest security breaches of the 2000s. The security firms says the lawsuit is meritless.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland's customers.
Following this devastating hack and one of the biggest of the 2000s, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
As part of their insurance agreements, the two firms paid $30 million to Heartland in the hack's aftermath, with the Lexington Insurance Company footing a $20 million bill, and the Beazley Insurance Company paying another $10 million.
But now, according to a civil lawsuit filed on June 28 in Illinois, and first reported by the Cook County Record, the two companies are trying to recover those costs, and are claiming that the security firm with which Heartland had a service contract had failed to honor its agreement.
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland's systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor's servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during its security audits it provided Heartland for almost two years as part of its contracts, which also included testing for PCI DSS compliance and attestation.
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland's servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant. PCS DSS stands for Payment Card Industry Data Security Standard, an attestation every vendor must obtain before being allowed to handle credit card data.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn't run a firewall, was using vendor-supplied passwords, didn't have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems on Heartland's network, Trustwave provided PCI DSS attestation. Visa later prohibited Heartland from employing Trustwave following the wrongful attestation.
Citing the Visa report and other post-breach documents, the two insurance firms claim that Trustwave is guilty of gross negligence. Furthermore, the lawsuit claims that Trustwave is also in breach of the contracts it signed with Heartland, for which it was supposed to provide security services. The two insurance firms are now asking for damages of at least $30 million, pending a jury trial, following Trustwave's failure to detect the intrusion.
But in a statement to Bleeping Computer, Trustwave says the lawsuit is meritless.
"Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland," a Trustwave spokersperson told us. "The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter."
"Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached," the spokesperson added.
"Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."
This is the third time Trustwave is on the receiving end of such a lawsuit. A banking conglomerate sued Trustwave in 2014 for its role in the Target breach, but the lawsuit was dropped after a few days when it was discovered that Trustwave was not responsible for securing Target's payment card data, and hence, not at fault.
Trustwave was sued for a second time in 2016 when a casino operator claimed the security firm failed to contain and eradicate a 2013 breach of its payment system. The lawsuit claims Trustwave missed a second breach that later allowed a crook to steal over 300,000 payment card details from the casino operator's customers. That lawsuit has been resolved.