back to article Insurers hurl sueball at Trustwave over 2008 Heartland megabreach

Security services firm Trustwave has been sued by insurers in America over the 2008 hacking of US payment processing biz Heartland. Lexington Insurance Company and Beazley Insurance Company allege Trustwave was "negligent" in failing to detect a SQLi attack, suspicious network activity, and malware associated with Heartland's …

  1. kain preacher

    Few things. Was Heartland PCI complaint at the time of the hack? If not how long were they out of compliance since they were last signed off ?

    1. Ian Michael Gumby
      Boffin

      @Kain Preacher ...

      The simple answer is that its possible to be in compliance with PCI and still be hacked.

      As much as I dislike Trustwave, the lawsuit will go their way.

      There's a lot of legal wiggle room and the law is on Trustwave's side.

      1. kain preacher

        Re: @Kain Preacher ...

        Ian that's why I was asking if they were in PCI compliance. If they were this case show be given summary dismissal .

  2. EveryTime

    So, so tough to make a blind call here.

    Certification shops have a reputation for rubber-stamping documents. Insurance places have a reputation for increasing rates to cover any payout and then suing anyone around to double-dip on recovering their losses.

    But my call is with the rubber stamp shop. If the insurers had a case, they would have pursued it at the time. Not a decade later. "What were you doing the second Tuesday in October, a decade ago?"

    1. a_yank_lurker

      @EveryTime

      The certification is an audit of process, procedures, etc. which says they are complaint to the applicable standard. The company has been found to meet the standard not that they are invulnerable or do not have issues which were probably noted at the time. Audits often find deficiencies in the systems and procedures that need addressing, nothing unusual even when you are complaint. The findings must be addressed typically within a specified time period to ensure they do not reoccur. In some fields, it is a fact of life that you will be routinely audited and sometimes dinged by the auditor.

      It sounds like the insurance companies are looking to pad their balance sheets at someone's expense. They are probably relying on the public's ignorance about the purpose of an audit to win a judgment.

    2. Mark 85

      If the insurers had a case, they would have pursued it at the time. Not a decade later. "What were you doing the second Tuesday in October, a decade ago?"

      Perhaps the lawyers are just looking for a nice payday.

      1. BebopWeBop
        Devil

        Never! Lawyers would shurely shrink from such behaviour. Maybe?

      2. Ian Michael Gumby
        Boffin

        If the insurers had a case, they would have pursued it at the time. Not a decade later. "What were you doing the second Tuesday in October, a decade ago?"

        Perhaps the lawyers are just looking for a nice payday.

        -=-

        The lawsuit didn't just start yesterday.

        It takes time to pull things together.

        However to your point, yes the insurance companies are looking at a way to get some of their money back. Its not a 'payday' because one company lost 20mil on this... So if they can recover some... they win.

    3. kain preacher

      Wait I missed that is decade ago. Wouldn't statues of limitations kick in ?

  3. usbac Silver badge

    I don't think anyone in IT security has ever thought that being "PCI Compliant" means you are un-hackable. It just means that you maintain a certain baseline level of security.

    No one is un-hackable, and if you think you are, you are delusional. It's really just a matter of how hard you are to hack, and is it worth the time of the hacker to break in? High value targets will always have a very hard time keeping systems secure.

    I'm sure Heartland paid huge insurance premiums for years. The insurance companies (like someone above noted) are just trying to double-dip. It's sort of pathetic to bring the lawsuit after 10 years.

  4. Gordon 10

    Article is unclear

    Trustwave had been hired to assess – but not manage – Heartland's computer security defenses.

    Were they really? or assessing just PCI-DSS compliance?

    If Trustwave was assessing PCI-DSS compliance afaik its is not the same as actually assessing the full suite of InfoSec activities. I bet Trustwave had no insight as to the quality of those activities, but were merely confirming the processes relevant to PCI-DSS had been followed.

  5. GnuTzu

    PCI DSS -- Court Worthiness

    It's going to be real interesting to see how the courts regard the legal strength of PCI certificate.

    One thing that's always bothered me about PCI is that a businesses certification only has to be reported to the banks. We consumers have to sit and wonder about the businesses we entrust with our payment card info.

    1. stiine Silver badge

      Re: PCI DSS -- Court Worthiness

      If you're not equally worried about the banks, you are deluding yourself.

  6. Doctor Syntax Silver badge

    Who provides Trustwave's insurance? Presumably these two have done due diligence to make sure it's not themselves.

  7. Anonymous Coward
    Facepalm

    Trustwave portal requires Adobe Flash Player?

    Click to enable Adobe Flash Player

  8. Mark Exclamation

    Costs

    When the insurance companies lose these cases, are they going to cover Trustwave's costs? They should, but being the USA it seems likely that they won't. It's so easy to sue someone when you only have to worry about your own costs!

    1. Richard 12 Silver badge

      Re: Costs

      Depends on the judge.

      The judge has the ability to make either side pay some or all of the legal costs of the other. If they think it's frivolous or vexatious then they'll tell the plaintiff to pay the defendants' costs.

      This is the main reason most patent troll cases never go to court. The "licence" fee is often slightly lower than the legal costs to defend the case and annul the patent would have been.

      Strange that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like