A security vendor is being sued to the tune of $30m by two insurance companies looking to recoup funds they used to settle claims following the Heartland Payment Systems breach.
Lexington Insurance Company and Beazley Insurance Company filed a complaint in Cook County Circuit Court at the end of June against Trustwave, which has since fired back with its own legal action.
The insurers claim the security firm was effectively to blame for one of the biggest breaches of the 2000s after its PCI DSS compliance scans of Heartland failed to pick up issues which led to the security incident, according to reports.
It’s said that Trustwave signed a deal with the payments giant in 2005 and started monthly vulnerability scans in 2006 and 2007 before migrating to providing Compliance Validation for Heartland which added extra network penetration and validation services.
According to the complaint, the 2009 data breach can be traced back to July 24 2007, when malware was installed on Heartland’s system via SQL injection — which was not picked up by the scans.
The result is now well known: attackers were able to compromise around 100 million credit and debit card numbers from over 650 financial service clients of Heartland, costing the firm over $148m.
According to the report, a subsequent Visa investigation found eight PCI DSS violations despite Trustwave’s clean compliance reports. The card giant is said to have then told Heartland to cease its PCI DSS partnership with the security firm.
Insurer Lexington apparently paid $20m to Heartland as a result of its policy while Beazley handed over $10m to its claimant, money they now want back from Trustwave.
In a statement sent to Infosecurity, Trustwave said it had filed a lawsuit in Delaware against the insurers’ “time-barred and unwarranted attempt” to recoup payments resulting from the breach.
“Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached,” it added.
“Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers’ demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously.”