Security firm Trustwave sued by insurance firms over massive Heartland data breach

• Lexington Insurance Company and Beazley Insurance Company allege the security vendor inaccurately certified Heartland as PCI DSS compliant.
• The insurers claim the firm failed to detect an SQL injection attack and malware installed on Heartland's servers.

Security vendor Trustwave has been hit with a lawsuit filed by two insurance companies, Lexington Insurance Company and Beazley Insurance Company, to recover funds used to settle claims over the Heartland Payment Systems data breach. The incident was one of the biggest security breaches of the 2000s.

The insurance firms have claimed Trustwave was to blame for the breach after it failed to detect issues that lead to the massive security breach.

What happened?

In January 2009, Heartland revealed it suffered a major data breach that saw the exposure of over 100 million credit and debit card numbers from more than 650 financial services of Heartland. The incident cost the firm over $148 million in remediation costs, settlements in various lawsuits and expenses owed to customers.

The two insurance companies - Lexington and Beazley - each paid $20 million and $10 million respectively as part of insurance agreements following the breach.

In an attempt to recover the cost, the firms have now sued Trustwave claiming it failed to detect any suspicious activity during its security audits provided to Heartland for two years, including tests for Payment Card Industry Data Security Standard (PCI DSS) compliance and attestation.

Heartland's relationship with Trustwave

Back in 2005, Heartland signed its first agreement with Trustwave for annual compliance assessment of its PCI DSS requirements and security assessment procedures. Between 2006 and 2006, the security firm performed monthly vulnerability scans before shifting to a Compliance Validation services for PCI DSS contract that included remote validation, network penetration and on-site validation services.

However, the insurers allege that Trustwave failed to detect that the attacker used an SQL injection attack to infiltrate Heartland’s systems back in July 2007.

The company failed again to detect malware installed on the payments processor’s servers on May 14, 2008, they noted.

Serious security issues

As per the complaint, Lexington and Beazley said Trustwave had incorrectly certified Heartland as PCI-DSS compliant. According to an independent Visa investigation, eight PCI DSS violations were discovered.

The investigation found that Heartland had failed to maintain a firewall, used vendor-supplied default passwords, did not have sufficient protections for stored data and failed to develop and maintain secure systems and applications. It also failed to assign unique identification to each person accessing its system, and failed to monitor servers and cardholder information at regular intervals.

Despite these serious security shortcomings, Trustwave had deemed Heartland PCI DSS compliant.

The latest lawsuit

Lexington and Beazley allege Trustwave is in breach of the contracts it signed with Heartland for whom it was to provide security services. The lawsuit accuses Trustwave of gross negligence and negligent misrepresentation.

The companies are calling for a jury trial and are seeking at least $30 million “for the liabilities, damages, remediation costs, fees and other consequential damages they sustained”.

However, this isn't the first the security firm has been hit with a lawsuit over a security breach.

In 2014, a group of banks filed a class action lawsuit against Target and named Trustwave as a co-defendant over its role in the infamous 2013 security breach. That case was dropped shortly after it was found that Trustwave was not responsible for the breach.

In 2016, casino operator Affinity Gaming filed a lawsuit against the company after it failed to contain and eradicate a 2013 breach that resulted in the leak of over 300,000 customers’ payment card details. The lawsuit has since been resolved.

Trustwave's response

In response to the latest lawsuit, Trustwave has slammed the insurance firms’ “time-barred and unwarranted attempt” to recover payments resulting from the security breach.

"Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached," a Trustwave spokesperson said in a statement.

"Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."