Razer sues IT vendor for S$10 million in lost customer data

SINGAPORE: Razer is suing a vendor for a cybersecurity breach that resulted in Razer’s customers’ and sales’ sensitive information being released to the public.

More than 100,000 Razer customers may have been affected by a data leak that occurred over the course of three months in June through September 2020, a security researcher reported.

French giant Capgemini is being sued by Razer for at least $7 million (S$9.85 million) in damages.

On Wednesday (Jul 13), a civil trial for the matter began in the High Court.

As Tan Min-Liang previously told TODAY, no personal information such as credit card numbers or passwords was compromised at Razer. The company warned at the time that order information, customer information, and delivery information could have been leaked.

Laptops and keyboards are among Razer’s best-known products. Both Singapore and California, the United States, are home to its corporate headquarters.

“Capgemini performed a game of smoke and mirrors and engaged in a multitude of blame-shifting actions,” claimed Razer’s lawyers from Drew & Napier in their opening statement.

Argel Cabalag, one of Capgemini’s workers, is being blamed for the cybersecurity breach at Razer, according to Razer.

The ELK Stack platform had been proposed to Razer by Capgemini. One central data store holds all the information gathered and processed from a variety of sources.

Capgemini was described by Razer’s lawyers as a “reliable and valued partner” in providing IT solutions. Razer agreed to use the ELK Stack in its IT system after consulting with Capgemini, and Capgemini assisted Razer in setting up and configuring the system.

Razer has also hired Capgemini’s professionals to be on-site at its offices and serve as subject matter experts.

Razer’s lawyers stated that Capgemini “should and should be able to expect Razer to do the right thing by Capgemini and to be forthright with Razer about what went wrong” because of a security misconfiguration in the ELK Stack.

Mr Cabalag investigated a problem with Razer’s ELK Stack on the 17th and 18th of June, 2020. Employees of Razer were unable to log in and fix the problem on their own.

The security compromise on June 18 was caused by a security misconfiguration — security settings for the ELK Stack were manually disabled, according to experts hired by both organizations — on the same day.

Capgemini’s explanation that the breach could have been caused by Razer’s use of new Internet service provider (IP) addresses was also rejected by the experts.

According to an impartial expert from Razer, given the sequence of events, Mr Cabalag was most likely responsible for the security breach.

Mr Cabalag, for example, was the only one working on the ELK Stack during a 16-minute period in which the expert said the misconfiguration had happened.

Only he was capable of gaining access to Razer’s server and making modifications to a configuration file, and he immediately informed the Razer staff that everything was working as it should.

Razer’s attorneys argued that Capgemini had failed to state in its post-incident reports that the breach occurred as a result of actions made during that time period.

Upon discovering the breach on September 9, 2020, Mr Cabalag fixed the issue within one working day. However, he insisted that the breach was not his fault and Capgemini insisted that it was unable to determine who was responsible.

For the sake of Razer’s reputation, Capgemini has decided to dig in and abandon Razer at the altar of responsibility. Capgemini, on the other hand, was hired and paid for the work.

In order to do the right thing by its customer, Capgemini should “step up and take responsibility.”

As a result, Razer said that Capgemini had failed to meet its contractual responsibilities, including ensuring that its IT systems were safe and that its employees, including Mr Cabalag, had the relevant and adequate competence, qualifications and experience.

As the subject-matter specialists in the IT industry, Capgemini owes Razer a duty of care, and as a result, Capgemini was held liable for the breach through negligence.

A “broad array of losses” of “upwards of US$7 million at the very least” were reported by both traditional and online media, according to Razer.

In addition, Capgemini wants a court order requiring the firm to pay Razer’s complete damages, losses, and expenditures as a result of the breach.

As the first plaintiff witness, Patricia Liu, the chief of staff for Razer, appeared in court on Wednesday. When the data leak occurred, she was also the company’s data protection officer.

Lee Seiu Kin, the judge in the case, has set a trial date for the remainder of the week to proceed.

Mr Wendell Wong, Mr Andrew Chua, and Ms Olivia Tan from Drew & Napier represent Razer’s legal team, while Mr Andre Yeap, Mr Lionel Tan, and Ms Yap Pui Yee from Rajah & Tann represent Capgemini’s.