Attorney Adds Security Company, State IT Department to Data Breach Lawsuit

Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:31:17


South Carolina breachA former South Carolina lawmaker has added the data security firm Trustwave and the state’s technology department to a lawsuit filed in the wake of a massive data breach at the state’s Department of Revenue.

The Associated Press reports attorney John Hawkins in an amendment claims Trustwave “violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security.”

The state hired the managed security service provider in 2005 to secure its databases. Trustwave, an international company based in Chicago, specializes in compliance tools offered through MSSP or cloud-based services. It did not release a statement in response to its inclusion in the lawsuit.

Officials said they hired Trustwave in 2005 as a third-party vendor to be PCI DSS compliant when the state began processing taxypayers’ credit cards to settle tax bills. Since the breach was first reported two weeks ago, the Department of Revenue has been criticized for not using free IT monitoring services provided by another department’s information technology division.

Some 3.6 million personal income tax returns and up to 657,000 business filings were compromised in an international cyber attack disclosed last month. In addition to Social Security numbers, some 387,00 credit card numbers were exposed; all but 16,000 of them were encrypted.

During the filing of the original lawsuit, which seeks class-action status, The Hawkins Law Firm targeted Gov. Nikki Haley and the S.C. Department of Revenue for failing to protect citizens from a massive hack.

“This hacking amounts to a ‘Cyber Hurricane’ and it’s a Category 5,” Hawkins, a former Republican state senator, said in a news release. The lawsuit also cites the state’s failure to notify the public of the breach in a timely manner.

Investigators believe the intrusions began in late August and continued until they were discovered Oct. 10. Notification occurred Oct. 26.

Hawkins told reporters he added the Division of State Information Technology to the lawsuit because the data was taken through its system.

News reports note that current state law limits public agencies’ liability in negligence cases to $600,000 per occurrence. As such, if every victim was part of the case and won, the most each would receive is 16 cents. Hawkins believes his case falls under another law that allows up to $1,000 compensation for each victim.