Categories: Workspace

Trustwave Gets Sued: Who Is Next?

With all IT data breaches there is a common cycle. First there is the fear over who is at risk, then theories on how the breach occurred, and finally the blaming and lawsuits start to roll in. In the breach of retailer Target, the lawsuits are now coming in, but in a surprising move, one lawsuit isn’t just going after Target; it’s also going after security vendor Trustwave.

Target first revealed that it had been breached by attackers on 9 December 2013, and ever since, there has been speculation on what went wrong. All USretailers are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), in order to securely process credit card transactions. The question of Target’s PCI-DSS compliance status has been an important part of the conversation surrounding the data breach, and now the company that conducted the PCI-DSS compliance testing for Target is being named in a legal action.

Who trusts the assessors?

In a class action lawsuit filed on 24 March in the US District Court, Northern District of Illinois, Trustmark National Bank and Green Bank have named Trustwave alongside Target in their complaint.

According to the legal complaint, “Target outsourced its data security obligations to Trustwave, which failed to bring Target’s systems up to industry standards.”

Trustwave declined to comment to eWEEK about the allegation or even admit if Target was in fact a Trustwave client.

The legal complaint alleges that Trustwave scanned the Target network on 20 September 2013, and at the time told Target that there were no vulnerabilities in Target’s systems.

“Additionally, on information and belief, Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII (Personally Identifiable Information) or other sensitive data,” the complaint states. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”

The accusation that a key security vendor for Target is somehow also culpable in the data breach is very serious. The issue with many PCI-DSS compliance assessments has long been that the assessments are point-in-time check marks for compliance. It’s a lesson that the newer PCI-DSS 3.0 standard that came into effect in January of this year takes to heart, with a stronger emphasis on process and continuous monitoring efforts.

Is a managed security provider liable?

If an organisation is certified to be PCI-DSS compliant, it doesn’t necessarily mean it is invulnerable to attack either. It means that at a point in time, the organisation had the security controls in place that made it compliant. The idea that a PCI-DSS assessor could be liable in the event of a breach is a dangerous one. The assessor doesn’t typically run the day-to-day security operations, although in this case, the legal complaint alleges that Trustwave was in fact providing “round-the-clock” monitoring. If a managed service provider (in this case, Trustwave) is on the job and a breach occurs, is it liable in that case?

Every security contract I’ve ever seen has had its fair share of terms and stipulations. Rarely, if ever, have I seen a managed service contract that can guarantee 100 percent that an enterprise will not be breached. Typically, the contracts include service-level agreements (SLAs) and response time stipulations and not iron-clad statements about making an organisation invulnerable.

The reality is that the absolute truth about the Target breach has not fully been disclosed publicly. Whether it was a managed service provider like Trustwave or Target’s own staff that sits at the root cause of the breach still remains to be seen.

The Target breach has already claimed the former CIO of Target as a victim. Will it now claim the reputation of Trustwave as well?

No security vendor or technology can make any organisation invulnerable. Security is a combination of people, process and technology and should never be the domain of just one individual, vendor or product. Time will tell where the actual faults are to be found in the Target infrastructure and who in fact is liable for those faults.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

How well do you know Internet security? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago