Trustwave sued for $40m over Heartland PCI-DSS checks

Trustwave is being sued in the United States by two insurance companies which claim the security vendor was ultimately responsible for the massive 2008 data breach at payments processor Heartland. 

The breach saw hackers raid Heartland for some 100 million credit card records, exposing the payments processor to tens of millions of dollars in liabilities, such as remediation costs and multiple class actions.

A decade later, insurance companies Lexington and Beazley have launched court proceedings against Trustwave, Cook County Record reported, to recover US$30 million (A$40m) of the settlement money they had to pay out.

The complaint alleges the data breach began with malware being planted on Heartland's systems in July 2007.

Trustwave had been contracted to perform yearly checks of Heartland's compliance with the Payment Card Industry Data Security Standards (PCI-DSS) requirements in 2005, moving on to monthly security scans, network penetration testing and other security services for the payments processor.

Despite this, Trustwave did not detect that hackers had installed malware in 2007 through a structured query language (SQL) attack that allowed the attacker to issue commands to an internet-exposed database, the insurers allege.

The insurers also claim Trustwave missed a May 2008 installation of malware on Heartland's systems.

Lexington and Beazley say the security vendor certified Heartland as PCI-DSS compliant during both 2007 and 2008.

As a result of the data breach, in 2009 Visa removed Heartland from its list of PCI-DSS compliant payments processors and said Trustwave had incorrectly certified the company as being compliant with the industry security standard.

Trustwave missed that Heartland did not use a firewall, used default passwords, generally failed to secure systems and applications as well as protect user data, and had no network access monitoring in place, Visa said in its list of PCI-DSS requirement breaches at the time.

A year later, Heartland settled with Visa for US$60 million, of which Lexington paid US$20 million and Beazley US$10 million under insurance policies issued to the payments processor.

The insurers' action follows an earlier bid by Trustwave to have their claims knocked out.

A statement from Trustwave provided to iTnews said the company had "filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland."  

The Trustwave statement added that "the insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter."

Trustwave spokesperson Steve Fiore told iTnews that the security vendor had taken the two insurers to court in Delaware because of their claims, which he said were baseless and without merit.

Fiore said Trustwave did not manage Heartland’s security, as has been claimed.

This article has been updated to include response from Trustwave.