Razer sues IT vendor over data leak, says security breach caused US$7m in losses

Home-grown gaming hardware company Razer has sued an IT vendor for allegedly causing a widely reported cybersecurity breach in 2020 that resulted in a leak of its customer and sales data.

In a case that opened in the High Court on Wednesday (July 13), Razer said the breach caused the company to suffer at least US$7 million in losses.

It includes a significant loss of profits, costs incurred in investigating and responding to the incident and costs incurred by corresponding and dealing with regulators.

Razer is seeking to recover the losses from Capgemini, alleging that one of the defendant’s employees was the culprit who caused the security breach when he misconfigured and disabled the security settings of a computer server.

Razer’s lawyer, Wendell Wong of Drew and Napier, said in his opening statement that its expert ascertained that the security misconfiguration occurred during a 16-minute window on June 18, 2020.

Wong added that experts agreed that the misconfiguration was caused by someone who had accessed the configuration file of a server and disabled the line of code relating to the security settings.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Between June 18, 2020 and Sept 10, 2002, data stored in the computer system was leaked to the public, he said.

The Straits Times reported then that breach was discovered by cyber-security consultant Volodymyr Diachenko, who estimated that 100,000 customers worldwide had their shipping information and order details leaked.

The customers’ credit card numbers and passwords were safe, Razer had said then.

On Wednesday, Wong said Capgemini “has refused and continues to refuse to take an ounce of responsibility for the cybersecurity breach”.

In its defence, Capgemini said its employee did not cause the misconfiguration and suggests that presence of new IP addresses set up by Razer could have been the cause.

Capgemini also alleged that Razer failed to mitigate its losses by not taking steps after it became aware of the security breach in August 2020 through its support channel.

In the lawsuit, which was filed in 2020, Razer said it engaged Capgemini as its IT consultant in March 2019 to upgrade its digital commerce platform.

Capgemini later recommended that Razer install and use the ELK Stack system, comprising a search and analytics engine, a data processing pipeline and a data visualisation application.

Razer said that on June 17 or June 18, 2020, Capgemini employee Argel Cabalag was tasked to troubleshoot as Razer staff could not log in to the system.

Razer said Cabalag was the only one who accessed the server during the 16-minute window and was also the only one with access who knew how to modify the configuration file.

When Razer’s management team learnt about the cyber security breach and activated Cabalag, he could resolve the issue within a day, said Wong.

Razer denied that it had failed to mitigate its losses and said its management team became aware of the breach on Sept 9, 2020.

“Razer did its best to respond to the cyber security breach as soon as the correct decision-makers in the company were made aware of the same,” said Wong.

The trial continues. THE STRAITS TIMES