ACE American Insurance Co. is suing to recover $500,000 it paid in ransomware damages for a staffing company, claiming cloud computing and cybersecurity firms contracted by its policyholder should instead be held responsible due to their alleged negligence.
The insurer maintains the two technology firms are responsible for certain failures that made it possible for the ransomware attack to occur and for mistakes made after it happened that increased the damage.
ACE, a Chubb subsidiary, provided cyber insurance to CoWorx Staffing Services for its computer network and data in 2024 when CoWorx was the target of the ransomware attack.
CoWorx, which operates in all 50 states, hired Massachusetts cloud sourcing firm Congruity to provide virtual machines running Microsoft Windows to run CoWorx’s web-applications. Under the contract, Congruity was responsible for providing CoWorx with new virtual machines as needed, as well as for securing the host virtualization servers and network. Congruity was responsible for providing “safeguards to secure the operation of the IT systems” that contain CoWorx data including remote access controls such as multi-factor authentication (MFA). However, according to ACE’s complaint, Congruity never established nor enforced MFA to log into the network.
CoWorx was itself responsible for security of the network at the guest virtual machine level. To accomplish this, CoWorx contracted with an Illinois cybersecurity firm, Trustwave, to monitor all Microsoft Windows endpoints, including the guest level machines hosted at Congruity’s co-location facility. Trustwave installed detection and response software on the CoWorx server and fed logs and other information to Trustwave’s security center which constantly monitored the network.
What Happened
The complaint sets forth a timeline of what ACE says happened including the alleged failures that it says affected its insured and led to the $500,000 claim.
On April 18, 2024, threat actors logged into one of the Microsoft Windows virtual machines on the Congruity infrastructure using a compromised password from a CoWorx user. According to ACE, had Congruity enabled multi-factor authentication (MFA) prior to the threat actor’s unauthorized access, the server would have required acknowledgement before allowing external access, thwarting the breach from ever occurring. However, since MFA was not in place, the threat actors were able to access the Congruity infrastructure with the compromised password alone.
The compromised CoWorx user account did not have administrative access to any Congruity server, either guest or host. Despite this, the threat actors were able to elevate permissions, dump credentials out of memory, and log into the host server. ACE argues that this shows that Congruity set up the server environment incorrectly, as no user should have been able to reach the host network from the guest network.
Four days after the initial breach, Trustwave’s software detected that a security event had occurred but Trustwave only categorized the alert as “moderate” rather than “high” or “critical.” Accordingly, Trustwave did not alert CoWorx of the breach, which ACE says “robbed CoWorx of the opportunity to investigate the incident and backup its files.” Five days later, the threat actors encrypted the virtual machines at the host network level and installed ransomware, requiring CoWorx to purchase the decryptor because it did not have backups of the encrypted files. According to the complaint, had Trustwave properly categorized the event as “high” or “critical” and alerted CoWorx of the breach, CoWorx would have backed up its compromised files.
Negligence and Breach Charges
ACE was obligated to pay $500,000 for the covered damages due to the breach and decryption under its cyber policy with CoWorx.
The lawsuit charges both Congruity and Trustwave with negligence, gross negligence, breach of contract and breach of implied warranty.
Congruity is accused of failing to set up the host and guest networks correctly and failing to enforce MFA, which ACE asserts allowed threat actors to access the guest network with only a compromised CoWorx password, elevate permissions, access the host network and ultimately encrypt CoWorx’s data files and install ransomware.
Trustwave is accused of failing to properly categorize the unauthorized breach as “high” or “critical” and failing to alert CoWorx of the breach in a prompt manner. These alleged failures prohibited CoWorx from backing up its files, potentially nullifying the ransomware installed and mitigating CoWorx’s damages, according to the complaint.
ACE is seeking $500,000 plus interest, attorneys fees and costs. The suit was filed in U.S. District Court for New Jersey.
Was this article valuable?
Here are more articles you may enjoy.
Where Are the Hurricanes This Season as the Atlantic Remains Quiet 
Insurers Lose Bid to Appeal London Judgment Over Jets Lost in Russia 
Microsoft Seizes 340 Websites Linked to Growing Phishing Subscription Service 
US Property Insurance Costs Hit New High as Disasters Worsen 
