News hit the wire today that Target's acquiring banks have issued another lawsuit against Target, including Trustwave as a co-defendant. This time the banks are trying to recover some costs incurred from Target's managed data security services provider, presumably for negligence or not detecting the vulnerability and fixing it sooner. This marks new territory for the security industry, and is the first time that a managed security services provider has been subject to action of this kind. It's a milestone case that I'll be watching very carefully.
How can it be the service providers fault?
I'm assuming that the banks do not have visibility of the managed services contract, but perhaps are using this action in attempt to disclose it. If the managed service provider has promised something in the contract to the customer, but have not delivered it, then potentially there's a civil negligence angle. However, is this directed at Target, being the ones whom should be carrying out due diligence on their service providers (these are their systems, after all), or is this directed at Trustwave? If the latter, then the lawsuit will struggle as there is no direct relationship between Trustwave and the banks.
What's really happening?
The banks have lost a LOT of money due to this card data breach and are citing mop-up costs that run into the billions. Whilst it is the bank's responsibility to ensure acquired merchants are PCI DSS Compliant, then surely they should start disconnecting non-compliant Merchants and sending them elsewhere? Why continue carrying the risk? Again, it's about money. Banks no doubt are most appreciative of Target's business and won't be chopping them off any time soon. I'd argue (if asked to!) that banks should be doing far more to ensure their Merchants adequately protect data. The banks carry the card scheme fines, and not the Merchants. This lawsuit isn't going to give a toss about PCI DSS Compliance or vulnerability scans – it's going to follow the documented liability trail and work out whom, by contract, could potentially cover the bank's losses. Somebody somewhere is going to ask the question “why did the bank continue acquiring this merchant?”. This could perhaps be seen as a desperate measure by the banks to claw back costs.
Does legal action like this help improve our defence against cyber attacks?
Unfortunately not. It forces security companies to play by the book and stick by the rules. Innovation and trying new things out will be frowned upon, even though this is the very thing that criminals are doing. By playing ball, we'll be even further behind in our efforts trying to thwart cyber criminals.
Whose fault is it?
Trustwave's contacts are tried, tested and mature. Target no doubt have got what they paid for and Trustwave delivered according to the scope of services that Target agreed. With regards to outsourced services, they most likely met all of PCI DSS v2.0 service provider requirements (req. 12.8) which are pretty broad. Under PCI DSS v3.0 it's a LOT clearer whom is responsible and accountable for providing support for which PCI DSS Control and I'd hazard a guess that if Target were subject to a PCI DSS v3.0 assessment last year (in theory of course, as v3.0 wasn't available), then issues could have been picked up.
What next?
The sooner Trustwave gets off the hook, the better. I think it's incredibly unfair to bring them into this lawsuit. I don't know all the facts, but I just don't see how a service provider can be sued unless they've done something VERY wrong, for example uploaded the malware to all the POS systems in the first place. Krebs suggested an interesting theory behind the attacks – http://krebsonsecurity.com/tag/target-data-breach/ and suggests that an HVAC provider's access credentials were used to gain access, execute malware and the data exfiltrated back out over the net. Basic access control, anti-malware and firewall configurations could have prevented this attack, however are unlikely to be offered as “managed services” and the finger surely pointed at Target for not maintaining basic information security controls? Why not sue the HVAC provider? Out of anyone, they seem the most “at fault” service provider?