Trustwave Named In Lawsuit Surrounding South Carolina Data Breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.securityweek.com/trustwave-named-lawsuit-surrounding-south-carolina-data-breach

The lawsuit against South Carolina followingthe recent Department of
Revenue data breach has been expanded to include data security company
Trustwave.

John Hawkins, a former South Carolina state senator and attorney,
filed an amendment to the lawsuit claiming Trustwave "violated and
failed to comply with the duties imposed upon them to encrypt data and
to expeditiously disclose the breach of security," according to an
Associated Press report. South Carolina hired Chicago-based Trustwave
back in 2005 to secure its databases and meet its requirements under
the Payment Card Industry's PCI-DSS standard.

South Carolina officials announced Oct. 26 the massive data breach at
the Department of Revenue which exposed 3.6 million personal income
tax returns and 657,000 business filings. Along with Social Security
numbers, some credit card numbers were exposed. While most of the
credit card numbers were encrypted, none of the Social Security
numbers were protected in any way.

“This is a huge development, because we learn for the first time that
a large, multinational corporation had assumed the responsibility for
securing this data,” Hawkins said in a statement.

Hawkins filed the original lawsuit against Gov. Nikki Haley, the
Department of Revenue, and its director last week for negligence in
protecting taxpayer data.

Trustwave did not respond to SecurityWeek's request for comment and
the governor doesn't seem to think the suit has any merit. "Nothing
Mr. Hawkins does surprises the governor, nor does it change her
statement from last week: There is a trial lawyer with a hand out and
a tissue ready at any crisis,” a spokesperson for the governor told
Greenville Online.

State officials said investigators believe the cyber-attacks began in
late August, and the data was last stolen Sept. 13. The state first
became aware of the breach on Oct. 10, when the Secret Service
notified state law enforcement officials. The security hole has since
been closed.

According to Associated Press, the Department of Revenue director Jim
Etter had told state lawmakers during a hearing that Trustwave had
scanned the systems on Sept. 14 and Oct. 14, and found no external
vulnerabilities.

The Department of Revenue has been criticized for not using the IT
monitoring services offered by State Budget and Control Board’s
Division of State Information Technology and going to a third-party
contractor instead. Department officials had claimed hiring a
third-party contractor was necessary because DSIT didn't offer PCI-DSS
services to protect credit card data.

Hawkins has also added DSIT to the lawsuit and is seeking class-action
status. The suit also cited the state for failing to notify the public
of the breach in a timely manner.

"This hacking amounts to a 'Cyber Hurricane' and it's a Category 5,"
Hawkins said.

Under current state law, liability for public agencies in negligence
cases are capped to $600,000, which means if the lawsuit does get
class-action status, victims will get at most $0.16 in compensation.
Hawkins is asking the court to consider the suit under a different
law, which would allow up to $1,000 in compensation per person.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.