Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client's network for months, an issue that led to one of the biggest security breaches of the 2000s.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland's customers.
Following this devastating hack, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
As part of their insurance agreements, the two firms paid $30 million to Heartland, with the Lexington Insurance Company footing a $20 million bill, and the Beazley Insurance Company paying another $10 million.
Lawsuit claims Trustwave failed to detect intrusion
But now, according to a civil lawsuit filed on June 28, and first reported by the Cook County Record, the two companies are trying to recover those costs, and are claiming that the security firm with which Heartland had a service contract had failed to honor its agreement.
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an intruder used an SQL injection attack to breach Heartland's systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor's servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during its regular security audits it provided Heartland for almost two years as part of its contract, which also included testing for PCI DSS compliance and attestation.
Visa report points the finger at Trustwave
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland's servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant. PCS DSS stands for Payment Card Industry Data Security Standard, an attestation every vendor must obtain before being allowed to handle credit card data.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn't run a firewall, was using vendor-supplied passwords, didn't have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are basic PCI DSS compliance rules, and Visa said that despite all the problems on Heartland's network, Trustwave provided PCI DSS attestation. Visa later prohibited Heartland from employing Trustwave following the wrongful attestation.
Citing the Visa report and other post-breach documents, the two insurance firms claim that Trustwave is guilty of gross negligence. Furthermore, the lawsuit claims that Trustwave is also in breach of the contracts it signed with Heartland, for which it was supposed to provide security services. The two insurance firms are now asking for damages of at least $30 million, pending a jury trial.
Trustwave was sued before in similar cases
This is the third time Trustwave is on the receiving end of such a lawsuit. A banking conglomerate sued Trustwave in 2014 for its role in the Target breach, but the lawsuit was dropped after a few days when it was discovered that Trustwave was not responsible for securing Target's payment card data, and hence, not at fault.
Trustwave was sued for a second time in 2016 when a casino operator claimed the security firm failed to contain and eradicate a 2013 breach of its payment system. The lawsuit claims Trustwave missed a second breach that later allowed a crook to steal over 300,000 payment card details from the casino operator's customers. This lawsuit is ongoing.
Trustwave did not respond to a request for comment regarding the most recent lawsuit from Bleeping Computer in time for this article's publication.
Cross-posted from Bleepingcomputer with grateful acknowledgement.