Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Trustwave Named In Lawsuit Surrounding South Carolina Data Breach

The lawsuit against South Carolina followingthe recent Department of Revenue data breach has been expanded to include data security company Trustwave.

The lawsuit against South Carolina followingthe recent Department of Revenue data breach has been expanded to include data security company Trustwave.

John Hawkins, a former South Carolina state senator and attorney, filed an amendment to the lawsuit claiming Trustwave “violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security,” according to an Associated Press report. South Carolina hired Chicago-based Trustwave back in 2005 to secure its databases and meet its requirements under the Payment Card Industry’s PCI-DSS standard.

South Carolina officials announced Oct. 26 the massive data breach at the Department of Revenue which exposed 3.6 million personal income tax returns and 657,000 business filings. Along with Social Security numbers, some credit card numbers were exposed. While most of the credit card numbers were encrypted, none of the Social Security numbers were protected in any way.

“This is a huge development, because we learn for the first time that a large, multinational corporation had assumed the responsibility for securing this data,” Hawkins said in a statement.

Hawkins filed the original lawsuit against Gov. Nikki Haley, the Department of Revenue, and its director last week for negligence in protecting taxpayer data.

Trustwave did not respond to SecurityWeek‘s request for comment and the governor doesn’t seem to think the suit has any merit. “Nothing Mr. Hawkins does surprises the governor, nor does it change her statement from last week: There is a trial lawyer with a hand out and a tissue ready at any crisis,” a spokesperson for the governor told Greenville Online.

State officials said investigators believe the cyber-attacks began in late August, and the data was last stolen Sept. 13. The state first became aware of the breach on Oct. 10, when the Secret Service notified state law enforcement officials. The security hole has since been closed.

According to Associated Press, the Department of Revenue director Jim Etter had told state lawmakers during a hearing that Trustwave had scanned the systems on Sept. 14 and Oct. 14, and found no external vulnerabilities.

The Department of Revenue has been criticized for not using the IT monitoring services offered by State Budget and Control Board’s Division of State Information Technology and going to a third-party contractor instead. Department officials had claimed hiring a third-party contractor was necessary because DSIT didn’t offer PCI-DSS services to protect credit card data.

Hawkins has also added DSIT to the lawsuit and is seeking class-action status. The suit also cited the state for failing to notify the public of the breach in a timely manner.

“This hacking amounts to a ‘Cyber Hurricane’ and it’s a Category 5,” Hawkins said.

Under current state law, liability for public agencies in negligence cases are capped to $600,000, which means if the lawsuit does get class-action status, victims will get at most $0.16 in compensation. Hawkins is asking the court to consider the suit under a different law, which would allow up to $1,000 in compensation per person.

Written By

Click to comment

Expert Insights

Related Content

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe

Cyberwarfare

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Cybercrime

A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Compliance

The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...