Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Trustwave Named In Lawsuit Surrounding South Carolina Data Breach

The lawsuit against South Carolina followingthe recent Department of Revenue data breach has been expanded to include data security company Trustwave.

The lawsuit against South Carolina followingthe recent Department of Revenue data breach has been expanded to include data security company Trustwave.

John Hawkins, a former South Carolina state senator and attorney, filed an amendment to the lawsuit claiming Trustwave “violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security,” according to an Associated Press report. South Carolina hired Chicago-based Trustwave back in 2005 to secure its databases and meet its requirements under the Payment Card Industry’s PCI-DSS standard.

South Carolina officials announced Oct. 26 the massive data breach at the Department of Revenue which exposed 3.6 million personal income tax returns and 657,000 business filings. Along with Social Security numbers, some credit card numbers were exposed. While most of the credit card numbers were encrypted, none of the Social Security numbers were protected in any way.

“This is a huge development, because we learn for the first time that a large, multinational corporation had assumed the responsibility for securing this data,” Hawkins said in a statement.

Hawkins filed the original lawsuit against Gov. Nikki Haley, the Department of Revenue, and its director last week for negligence in protecting taxpayer data.

Trustwave did not respond to SecurityWeek‘s request for comment and the governor doesn’t seem to think the suit has any merit. “Nothing Mr. Hawkins does surprises the governor, nor does it change her statement from last week: There is a trial lawyer with a hand out and a tissue ready at any crisis,” a spokesperson for the governor told Greenville Online.

State officials said investigators believe the cyber-attacks began in late August, and the data was last stolen Sept. 13. The state first became aware of the breach on Oct. 10, when the Secret Service notified state law enforcement officials. The security hole has since been closed.

According to Associated Press, the Department of Revenue director Jim Etter had told state lawmakers during a hearing that Trustwave had scanned the systems on Sept. 14 and Oct. 14, and found no external vulnerabilities.

The Department of Revenue has been criticized for not using the IT monitoring services offered by State Budget and Control Board’s Division of State Information Technology and going to a third-party contractor instead. Department officials had claimed hiring a third-party contractor was necessary because DSIT didn’t offer PCI-DSS services to protect credit card data.

Hawkins has also added DSIT to the lawsuit and is seeking class-action status. The suit also cited the state for failing to notify the public of the breach in a timely manner.

“This hacking amounts to a ‘Cyber Hurricane’ and it’s a Category 5,” Hawkins said.

Under current state law, liability for public agencies in negligence cases are capped to $600,000, which means if the lawsuit does get class-action status, victims will get at most $0.16 in compensation. Hawkins is asking the court to consider the suit under a different law, which would allow up to $1,000 in compensation per person.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.