Insurance companies Lexington Insurance and Beazley Insurance are suing an information security firm to recover the insurance rates paid to Heartland Payment Systems, a payment management company, after the security firm did not detect malware in the client’s network for months, a problem that caused one of the biggest security breaches of the first decade of the 21st century. The security firm claims that the lawsuit is inadmissible.
2009 data violation-related lawsuit
In January 2009, Heartland announced a major security breach on its network, after which a hacker stole data of more than 100 million of card stored in their systems by more than 650 customers, as reported by specialists secure data destruction from the International Institute of Cyber Security.
After this attack, Heartland paid more than $148M in fees for various lawsuits and other costs, and compensation expenses to its customers.
As part of its insurance agreements, the two firms paid 30 million to Heartland in the post-hack period, with Lexington Insurance Company paying $20M and Beazley Insurance paying another $10M.
Lawsuit claims Trustwave’s fault
But now, according to a civil lawsuit filed on June 28th in Illinois, the two companies are trying to recover those costs, and claim that the security firm that Heartland had a service contract with would have failed to honor its agreement.
The two insurance companies claim that Trustwave Holdings, Inc., the security firm, did not detect the attack to violate the Heartland systems on July 24, 2007.
In addition, the two insurers claim that Trustwave also did not detect that the attackers installed malware on the payment management servers on May 14, 2008, and did not issue alarm signals about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during the security audits that it provided to Heartland for almost two years as part of its contracts, which also included evidence for the compliance and certification of Payment Card Industry Data Security Standard (PCI DSS).
Visa documents seems to blame on Trustwave
The lawsuit also mentions that after the hack, Visa reviewed the Heartland servers and discovered that Trustwave certified incorrectly that Heartland complied with PCI DSS, a certification that every vendor must obtain before they can operate with credit card data.
The lawsuit, according to experts in secure data destruction, alleges that Visa discovered that Trustwave ignored the fact that Heartland did not run a firewall, used vendor-supplied passwords, did not have enough protection for the storage system used for card data, it did not assign unique identification to each person to access their system and could not monitor the cardholder’s servers and data on a regular basis.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems in the Heartland network, Trustwave certified its security systems. Later, Visa forbade Heartland to use Trustwave after the erroneous attestation.
According to experts in secure data destruction, the Visa report and other post-breach documents, the two insurance companies claim that Trustwave is guilty of negligence. In addition, the lawsuit alleges that Trustwave also breached the contracts they signed with Heartland, in which they were supposed to provide security services. The two insurance companies now request repair damage for at least $30M, pending trial, after Trustwave has not detected the intrusion.
Trustwave affirms innocence
In a statement, the computer security company claims that the demand is meritless.
“Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their unwarranted attempt to recover insurance payments they made as coverage for a data breach in 2008 in Heartland”, say spokespersons from Trustwave. “Insurers subsequently filed a duplicate lawsuit in Illinois with respect to the same issue”.
“Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such assessment, as clarified by the contract in question, does not guarantee that the examined company could not be violated” the spokespersons added.
Trustwave’s been sued before
This is the third time Trustwave faces a similar lawsuit. A banking consortium sued Trustwave in 2014 for its role in the Target’s breach, but the lawsuit was abandoned after a few days when it was discovered Trustwave was not responsible for the Target payment card data, and therefore, it wasn’t Trustwave fault.
Trustwave was sued for the second time in 2016 when a casino operator claimed that the security company could not contain and eradicate a breach on its payment system in 2013. The lawsuit alleged that Trustwave omitted a second offense that later allowed a scammer to steal more than 300K payment card data from the casino operator’s customers.