Few things. Was Heartland PCI complaint at the time of the hack? If not how long were they out of compliance since they were last signed off ?
Security services firm Trustwave has been sued by insurers in America over the 2008 hacking of US payment processing biz Heartland. Lexington Insurance Company and Beazley Insurance Company allege Trustwave was "negligent" in failing to detect a SQLi attack, suspicious network activity, and malware associated with Heartland's …
Tuesday 10th July 2018 15:32 GMT EveryTime
So, so tough to make a blind call here.
Certification shops have a reputation for rubber-stamping documents. Insurance places have a reputation for increasing rates to cover any payout and then suing anyone around to double-dip on recovering their losses.
But my call is with the rubber stamp shop. If the insurers had a case, they would have pursued it at the time. Not a decade later. "What were you doing the second Tuesday in October, a decade ago?"
Tuesday 10th July 2018 16:25 GMT a_yank_lurker
The certification is an audit of process, procedures, etc. which says they are complaint to the applicable standard. The company has been found to meet the standard not that they are invulnerable or do not have issues which were probably noted at the time. Audits often find deficiencies in the systems and procedures that need addressing, nothing unusual even when you are complaint. The findings must be addressed typically within a specified time period to ensure they do not reoccur. In some fields, it is a fact of life that you will be routinely audited and sometimes dinged by the auditor.
It sounds like the insurance companies are looking to pad their balance sheets at someone's expense. They are probably relying on the public's ignorance about the purpose of an audit to win a judgment.
Tuesday 10th July 2018 18:04 GMT Mark 85
Wednesday 11th July 2018 03:56 GMT Ian Michael Gumby
If the insurers had a case, they would have pursued it at the time. Not a decade later. "What were you doing the second Tuesday in October, a decade ago?"
Perhaps the lawyers are just looking for a nice payday.
The lawsuit didn't just start yesterday.
It takes time to pull things together.
However to your point, yes the insurance companies are looking at a way to get some of their money back. Its not a 'payday' because one company lost 20mil on this... So if they can recover some... they win.
Tuesday 10th July 2018 16:06 GMT usbac
I don't think anyone in IT security has ever thought that being "PCI Compliant" means you are un-hackable. It just means that you maintain a certain baseline level of security.
No one is un-hackable, and if you think you are, you are delusional. It's really just a matter of how hard you are to hack, and is it worth the time of the hacker to break in? High value targets will always have a very hard time keeping systems secure.
I'm sure Heartland paid huge insurance premiums for years. The insurance companies (like someone above noted) are just trying to double-dip. It's sort of pathetic to bring the lawsuit after 10 years.
Tuesday 10th July 2018 16:11 GMT Gordon 10
Article is unclear
Trustwave had been hired to assess – but not manage – Heartland's computer security defenses.
Were they really? or assessing just PCI-DSS compliance?
If Trustwave was assessing PCI-DSS compliance afaik its is not the same as actually assessing the full suite of InfoSec activities. I bet Trustwave had no insight as to the quality of those activities, but were merely confirming the processes relevant to PCI-DSS had been followed.
Tuesday 10th July 2018 16:12 GMT GnuTzu
PCI DSS -- Court Worthiness
It's going to be real interesting to see how the courts regard the legal strength of PCI certificate.
One thing that's always bothered me about PCI is that a businesses certification only has to be reported to the banks. We consumers have to sit and wonder about the businesses we entrust with our payment card info.
Wednesday 11th July 2018 01:14 GMT Mark Exclamation
Wednesday 11th July 2018 06:29 GMT Richard 12
Depends on the judge.
The judge has the ability to make either side pay some or all of the legal costs of the other. If they think it's frivolous or vexatious then they'll tell the plaintiff to pay the defendants' costs.
This is the main reason most patent troll cases never go to court. The "licence" fee is often slightly lower than the legal costs to defend the case and annul the patent would have been.