After failing to protect its clientele's consumers in the 2009 Heartland data breach, security firm Trustwave Holdings is now facing a multi-million dollar lawsuit filed by two insurance companies affected by the said breach.
Lexington Insurance Company and Beazley Insurance Company are seeking $30 million of penalty from Trustwave to recoup insurance fees paid to customers for botching its responsibility to safeguard consumers from data theft. In January 2009, a malware hit Heartland Payment Systems and stole details of over 100 million payment cards.
According to the insurers, Trustwave had failed to intercept the malware on both insurance companies' networks for years, which led to one of the biggest data breaches of the decade. But Trustwave believes the plaintiffs lack substantial evidence to prove its case.
At the time of the attack, Heartland had more than 650 clients under its wing impacted by the breach. The company was forced to pay over $148 million in settlement fees for various lawsuits and other remediation costs and expenses.
Lexington and Beazley paid Heartland $20 million and $10 million, respectively, per insurance agreement. In the civil lawsuit filed last month in Illinois, the insurance firms said they are hoping to recover those costs.
The breach was announced by Heartland in 2009 but the SQL injection attack that led to bypass the security standards of Trustwave had already happened since July 2007.
Payments technology firm Visa released a report on the matter, citing Trustwave's shortfalls over the massive security breach. After investigating Heartland's servers, Visa found out that Trustwave approved Heartland to handle credit card data by giving the certification called PCI DSS (Payment Card Industry Data Security Standard).
Visa discovered that Trustwave had ignored Heartland for not using a system firewall, for using vendor-supplied passwords, insufficient protection for the firm's data storage system, failure to regularly monitor the firm's servers, and failure to provide unique identification to each consumer.
Trustwave has released a statement denying the allegations cited by Lexington and Beazley. It said:
Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached. Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously.
It is not the first time Trustwave faced a lawsuit due to negligence. In 2014, two banks in the United States sued the company for negligence over the Target data breach. The court sided Trustwave after finding no evidence that it should have been responsible for securing Target's card data.
In 2006, a casino operator has the same concern, leading to the theft of more than 300,000 payment card details from its customers. The case was resolved.