Categories: Workspace

Trustwave Gets Sued: Who Is Next?

With all IT data breaches there is a common cycle. First there is the fear over who is at risk, then theories on how the breach occurred, and finally the blaming and lawsuits start to roll in. In the breach of retailer Target, the lawsuits are now coming in, but in a surprising move, one lawsuit isn’t just going after Target; it’s also going after security vendor Trustwave.

Target first revealed that it had been breached by attackers on 9 December 2013, and ever since, there has been speculation on what went wrong. All USretailers are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), in order to securely process credit card transactions. The question of Target’s PCI-DSS compliance status has been an important part of the conversation surrounding the data breach, and now the company that conducted the PCI-DSS compliance testing for Target is being named in a legal action.

Who trusts the assessors?

In a class action lawsuit filed on 24 March in the US District Court, Northern District of Illinois, Trustmark National Bank and Green Bank have named Trustwave alongside Target in their complaint.

According to the legal complaint, “Target outsourced its data security obligations to Trustwave, which failed to bring Target’s systems up to industry standards.”

Trustwave declined to comment to eWEEK about the allegation or even admit if Target was in fact a Trustwave client.

The legal complaint alleges that Trustwave scanned the Target network on 20 September 2013, and at the time told Target that there were no vulnerabilities in Target’s systems.

“Additionally, on information and belief, Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII (Personally Identifiable Information) or other sensitive data,” the complaint states. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”

The accusation that a key security vendor for Target is somehow also culpable in the data breach is very serious. The issue with many PCI-DSS compliance assessments has long been that the assessments are point-in-time check marks for compliance. It’s a lesson that the newer PCI-DSS 3.0 standard that came into effect in January of this year takes to heart, with a stronger emphasis on process and continuous monitoring efforts.

Is a managed security provider liable?

If an organisation is certified to be PCI-DSS compliant, it doesn’t necessarily mean it is invulnerable to attack either. It means that at a point in time, the organisation had the security controls in place that made it compliant. The idea that a PCI-DSS assessor could be liable in the event of a breach is a dangerous one. The assessor doesn’t typically run the day-to-day security operations, although in this case, the legal complaint alleges that Trustwave was in fact providing “round-the-clock” monitoring. If a managed service provider (in this case, Trustwave) is on the job and a breach occurs, is it liable in that case?

Every security contract I’ve ever seen has had its fair share of terms and stipulations. Rarely, if ever, have I seen a managed service contract that can guarantee 100 percent that an enterprise will not be breached. Typically, the contracts include service-level agreements (SLAs) and response time stipulations and not iron-clad statements about making an organisation invulnerable.

The reality is that the absolute truth about the Target breach has not fully been disclosed publicly. Whether it was a managed service provider like Trustwave or Target’s own staff that sits at the root cause of the breach still remains to be seen.

The Target breach has already claimed the former CIO of Target as a victim. Will it now claim the reputation of Trustwave as well?

No security vendor or technology can make any organisation invulnerable. Security is a combination of people, process and technology and should never be the domain of just one individual, vendor or product. Time will tell where the actual faults are to be found in the Target infrastructure and who in fact is liable for those faults.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

How well do you know Internet security? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

12 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

13 hours ago