ACE American Insurance Co. is suing to recover $500,000 it paid in ransomware damages to a staffing company,
claiming cloud computing and cybersecurity firms contracted by its policyholder should instead be held responsible due to their alleged negligence.
The insurer maintains the two technology firms are responsible for certain failures that made it possible for the ran
somware attack to occur and for mistakes made after it happened that increased the damage.
ACE, a Chubb subsidiary, provided cyber insurance to New Jersey-based CoWorx Staffing Services for its c
omputer network and data in 2024 when CoWorx was the target of the ransomware attack.
CoWorx, which operates in all 50 states, hired Massachusetts cloud sourcing firm Congruity to provide virtual machines running Microsoft Windows to ru
n CoWorx’s web-applications. Under the contract, Congruity was responsible for providing CoWorx with new virtual ma
chines as needed, as well as for securing the host virtualization servers and network. Congruity was responsible for provid
ing “safeguards to secure the operation of the IT systems” that contain CoWorx data including remote access controls such as multi-factor authentication (MFA).
However, according to ACE’s complaint, Congruity never established nor enforced MFA to log into the network.
Watch More Image Part 2 >>>
CoWorx was itself responsible for security of the network at the guest virtual machine level. To accomplish this, C
oWorx contracted with an Illinois cybersecurity firm, Trustwave, to monitor all Microsoft Windows endpoints, including th
e guest level machines hosted at Congruity’s co-location facility. Trustwave installed detection and response software on th
e CoWorx server and fed logs and other information to Trustwave’s security center which constantly monitored the network.
What Happened
The complaint sets forth a timeline of what ACE says happened including the alleged failures that it says affected its insured and led to the $500,000 claim.
On April 18, 2024, threat actors logged into one of the Microsoft Windows virtual machines on the Congruity infrastructure using a compromised password from a
CoWorx user. According to ACE, had Congruity enabled multi-factor authentication (MFA) prior to the threat actor’s u
nauthorized access, the server would have required acknowledgement before allowing external access, thwarting the breach from ever occurring. However, sin
ce MFA was not in place, the threat actors were able to access the Congruity infrastructure with the compromised password alone.
The compromised CoWorx user account did not have administrative access to any Congruity server, either guest or host. Despite this, the threat actors w
ere able to elevate permissions, dump credentials out of memory, and log into the host server. ACE argues that this shows that Congruity set up the server environment in
correctly, as no user should have been able to reach th
e host network from the guest network.
Four days after the initial breach, Trustwave’s software detected that a security event had occurred but Trustwave only categorized the alert as “moderate” rather
than “high” or “critical.” Accordingly, Trustwave did not alert CoWorx of the breach, which ACE says “robbed CoWorx
of the opportunity to investigate the incident and backup its files.” Five days later, the threat actors encrypted the virtual machines at the host network level and installed ransomware, re
quiring CoWorx to purchase the decryptor because it did not have backups of the encrypted files. According to the complaint, had Trustwave properly categorized t
e event as “high” or “critical” and alerted CoWorx of the breach, CoWorx would have backed up its compromised files.