Insurers hurl sueball at Trustwave over 2008 Heartland megabreach
Firm smacks back: We 'did not manage Heartland's information security'
Security services firm Trustwave has been sued by insurers in America over the 2008 hacking of US payment processing biz Heartland.
Lexington Insurance Company and Beazley Insurance Company allege Trustwave was "negligent" in failing to detect a SQLi attack, suspicious network activity, and malware associated with Heartland's network security breach.
It is alleged that Trustwave signed Heartland off for Payment Card Industry Data Security Standard (PCI DSS) compliance during a time when its systems were compromised. Trustwave had been hired to assess – but not manage – Heartland's computer security defenses.
The duo are suing Trustwave in an attempt to recover claims payouts of $30m and other costs. Lexington paid $20m to Heartland while Beazley handed over $10m to settle claims brought under insurance policies.
Trustwave has dismissed the insurers' lawsuit as without merit, and launched its own countersuit in Delaware, prompting this latest legal barrage in Illinois. The firm contends that a PCI audit is no guarantee that a company can't be hacked, as its statement to The Register this week explains:
Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland. The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter.
Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached.
Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously.
El Reg invited both Lexington and Beazley to respond to Trustwave's statement. We'll update this story as and when more information comes to hand. Regular readers will recall we mentioned this lawsuit as a breaking news piece at the end of last month.
Heartland Payment Systems copped to a breach in 2008 that involved hackers planting malware on its systems. Later estimates suggested up to 100 million records were exposed, a percentage of which were later used in fraud.
Notorious hacker Albert Gonzalez was charged with masterminding the attack in August 2009 along with attacks on ATM systems leased by 7-Eleven, among other crimes. Gonzalez, a former US Secret Service informant, was jailed for 20 years back in March 2010 over the infamous TJX credit card hack.
Heartland agreed to pay up to $100m into a fund designed to reimburse credit card organisations Visa, Mastercard and AmEx back in 2010. ®