Two insurance companies have joined together to ask a Cook County judge to order a data security firm to pay $30 million to reimburse the insurers for funds they had to pay out to settle claims resulting from a data breach at Heartland Payment Systems.
Lexington Insurance Company and Beazley Insurance Company filed a complaint June 28 in Cook County Circuit Court against Illinois-based Trustwave Holdings, Inc., and its corporate affiliates, saying Trustwave was ultimately responsible for the 2009 data breach that exposed Heartland, a payment processing firm, to millions of dollars in liability.
According to the complaint, Heartland signed its first sales agreement with Trustwave in 2005 for annual compliance assessment of Heartland’s Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures. Trustwave performed monthly vulnerability scans through 2006 and 2007, then shifted to a Compliance Validation services for PCI DSS contract, which added remote validation, network penetration and on-site validation services.
The complaint said the 2009 data breach can be traced to July 24, 2007, when malicious code was installed on Heartland’s system via an SQL injection attack targeted at collecting magnetic strip sequences. Malware was installed May 14, 2008. According to Lexington and Beazley, Trustwave’s assessments during this time didn’t result in a report of malicious code or malware on Heartland systems.
According to Lexington and Beazley, Trustwave certified Heartland’s systems as compliant with PCI DSS standards in both 2007 and 2008.
As a result of the breach going undetected, per the complaint, hackers accessed roughly 100 million credit and debit card numbers from more than 650 financial service companies, exposing Heartland to more than $148 million settlement fees for its liability, damages, remediation costs and other expenses. Further, Heartland defended itself in at least 16 consumer class action complaints, 14 class actions from financial institutions and four securities class actions.
After consolidation of the financial institution complaints, Heartland was accused of being liable for failing to maintain PCI DSS compliance. Visa conducted an independent investigation showing eight PCI DSS violations despite Trustwave’s clean compliance reports. Ultimately Visa asserted Trustwave incorrectly certified Heartland as PCI DSS compliant and prohibited Heartland from employing Trustwave.
Among the areas Visa said Trustwave overlooked were Heartland’s failure to maintain a firewall, using vendor-supplied defaults for passwords and other security parameters, insufficient protection of stored data, failure to develop and maintain secure systems and applications, data access restrictions shortcomings and failure to assign unique identification to each person with computer access, monitor all access to network resources and cardholder data and regularly test security systems and processes.
By March 3, 2015, the litigation was resolved through settlements or dismissals. Lexington paid $20 million to Heartland while Beazley reimbursed $10 million in accordance with their insurance policies. The companies are accusing Trustwave of breaching the 2005 and 2007 agreements with Heartland, as well as breach of express warranty and breach of contractual indemnification related to both contracts.
The complaint also accuses Trustwave of negligent misrepresentation and gross negligence. In addition to a jury trial, Lexington and Beazley seek at least $30 million “for the liabilities, damages, remediation costs, fees and other consequential damages they sustained.”
The insurance companies are represented in the matter by Gordon & Rees LLP, of Chicago.