iTnews

Trustwave sued for $40m over Heartland PCI-DSS checks

By Juha Saarinen on Jul 10, 2018 11:00AM
Trustwave sued for $40m over Heartland PCI-DSS checks

Insurers want compensation.

Trustwave is being sued in the United States by two insurance companies which claim the security vendor was ultimately responsible for the massive 2008 data breach at payments processor Heartland. 

The breach saw hackers raid Heartland for some 100 million credit card records, exposing the payments processor to tens of millions of dollars in liabilities, such as remediation costs and multiple class actions.

A decade later, insurance companies Lexington and Beazley have launched court proceedings against Trustwave, Cook County Record reported, to recover US$30 million (A$40m) of the settlement money they had to pay out.

The complaint alleges the data breach began with malware being planted on Heartland's systems in July 2007.

Trustwave had been contracted to perform yearly checks of Heartland's compliance with the Payment Card Industry Data Security Standards (PCI-DSS) requirements in 2005, moving on to monthly security scans, network penetration testing and other security services for the payments processor.

Despite this, Trustwave did not detect that hackers had installed malware in 2007 through a structured query language (SQL) attack that allowed the attacker to issue commands to an internet-exposed database, the insurers allege.

The insurers also claim Trustwave missed a May 2008 installation of malware on Heartland's systems.

Lexington and Beazley say the security vendor certified Heartland as PCI-DSS compliant during both 2007 and 2008.

As a result of the data breach, in 2009 Visa removed Heartland from its list of PCI-DSS compliant payments processors and said Trustwave had incorrectly certified the company as being compliant with the industry security standard.

Trustwave missed that Heartland did not use a firewall, used default passwords, generally failed to secure systems and applications as well as protect user data, and had no network access monitoring in place, Visa said in its list of PCI-DSS requirement breaches at the time.

A year later, Heartland settled with Visa for US$60 million, of which Lexington paid US$20 million and Beazley US$10 million under insurance policies issued to the payments processor.

The insurers' action follows an earlier bid by Trustwave to have their claims knocked out.

A statement from Trustwave provided to iTnews said the company had "filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland."  

The Trustwave statement added that "the insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter."

Trustwave spokesperson Steve Fiore told iTnews that the security vendor had taken the two insurers to court in Delaware because of their claims, which he said were baseless and without merit.

Fiore said Trustwave did not manage Heartland’s security, as has been claimed.

This article has been updated to include response from Trustwave.

 

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
beazley insurance finance lexington insurance malware security trustwave

Partner Content

Beat the DDoS blackmails in 2021
Promoted Content Beat the DDoS blackmails in 2021
Resetting cyber security for the new threat landscape
Partner Content Resetting cyber security for the new threat landscape
As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride
Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Juha Saarinen
Jul 10 2018
11:00AM
0 Comments

Related Articles

  • 86 400 looks to strengthen customer sign-up process
  • BOQ tries to pin BEC blame on a branch manager
  • Watchdog rips into NZX for repeated tech fails
  • US authorities charge alleged Netwalker ransomware affiliate
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.