Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Insurers hurl sueball at Trustwave over 2008 Heartland megabreach

Firm smacks back: We 'did not manage Heartland's information security'

Security services firm Trustwave has been sued by insurers in America over the 2008 hacking of US payment processing biz Heartland.

Lexington Insurance Company and Beazley Insurance Company allege Trustwave was "negligent" in failing to detect a SQLi attack, suspicious network activity, and malware associated with Heartland's network security breach.

It is alleged that Trustwave signed Heartland off for Payment Card Industry Data Security Standard (PCI DSS) compliance during a time when its systems were compromised. Trustwave had been hired to assess – but not manage – Heartland's computer security defenses.

The duo are suing Trustwave in an attempt to recover claims payouts of $30m and other costs. Lexington paid $20m to Heartland while Beazley handed over $10m to settle claims brought under insurance policies.

Trustwave has dismissed the insurers' lawsuit as without merit, and launched its own countersuit in Delaware, prompting this latest legal barrage in Illinois. The firm contends that a PCI audit is no guarantee that a company can't be hacked, as its statement to The Register this week explains:

Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland. The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter.

Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached.

Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously.

El Reg invited both Lexington and Beazley to respond to Trustwave's statement. We'll update this story as and when more information comes to hand. Regular readers will recall we mentioned this lawsuit as a breaking news piece at the end of last month.

Heartland Payment Systems copped to a breach in 2008 that involved hackers planting malware on its systems. Later estimates suggested up to 100 million records were exposed, a percentage of which were later used in fraud.

Notorious hacker Albert Gonzalez was charged with masterminding the attack in August 2009 along with attacks on ATM systems leased by 7-Eleven, among other crimes. Gonzalez, a former US Secret Service informant, was jailed for 20 years back in March 2010 over the infamous TJX credit card hack.

Heartland agreed to pay up to $100m into a fund designed to reimburse credit card organisations Visa, Mastercard and AmEx back in 2010. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like