Gaming firm Razer wins lawsuit against IT vendor over data leak, awarded $8.7m in damages

The damages awarded comprised largely US$6.1 million in loss of profits from Razer’s e-commerce platform. ST PHOTO: CHONG JUN LIANG

SINGAPORE - Gaming hardware company Razer has won its lawsuit against an IT vendor over a data leak, and was awarded US$6.5 million (S$8.7 million) in damages by the High Court on Friday.

Shipping information and order details of thousands of customers worldwide were leaked in a cyber-security breach that was widely reported in September 2020.

The gaming firm, which is headquartered in Singapore and the United States, sued the vendor, Capgemini, in the same year over the breach. Capgemini is a multinational IT services company headquartered in France.

The damages awarded largely comprised US$6.1 million in loss of profits from Razer’s e-commerce platform. The amount awarded also included about US$60,000 that Razer paid for a forensic expert to investigate the incident, about US$320,000 to engage a law firm to deal with regulators, and a US$2,000 payment to cyber-security consultant Bob Diachenko, who discovered the breach.

Mr Diachenko had alerted Razer to the breach on Aug 19, 2020. In a post on networking site LinkedIn on Sept 10, 2020, he estimated the total number of affected customers to be around 100,000. On Sept 11, Razer said customers’ credit card numbers and passwords were safe.

The dispute between Razer and Capgemini arose over the misconfiguration of a server file, which led to the data leak.

Razer had engaged IT consultancy WhiteSky Labs in 2019 to upgrade its digital commerce platform. In June 2020, after acquiring WhiteSky, Capgemini took on its contractual obligations owed to Razer.

Capgemini had recommended that Razer install and use an IT solution called the ELK Stack, comprising Elasticsearch, a search and analytics engine; Logstash, a data processing pipeline; and Kibana, a data visualisation application.

On June 17 or 18, 2020, Capgemini employee Argel Cabalag was tasked to do troubleshooting, as Razer staff could not log in to the Kibana system.

Razer, represented by Mr Wendell Wong and Mr Andrew Chua of Drew & Napier, said Mr Cabalag was responsible for the disabling of the security settings of Kibana.

Razer said Mr Cabalag added a “#” command to a configuration file in the Elasticsearch server that controlled security and access to Kibana. This misconfiguration allowed unauthenticated access to the Kibana application.

After being told of the security breach on Sept 9, 2020, Mr Cabalag resolved the issue the next day by removing the “#” command.

Capgemini, represented by Senior Counsel Andre Yeap of Rajah & Tann, said its employee did not did not cause the misconfiguration and suggested that new IP addresses set up by Razer could have been the cause.

However, on the sixth day of the trial in July 2022, Mr Cabalag admitted that he had been the one who caused the misconfiguration.

Razer argued that Mr Cabalag caused the data leak as a Capgemini employee, and thus Capgemini had breached the consulting services agreement, as it did not exercise reasonable skill and care in carrying out its work.

Capgemini argued that the log-in problem did not fall under the scope of work included in the agreement between them, and that Razer was the one responsible for maintaining the ELK Stack.

In a written judgment on Friday, Justice Lee Seiu Kin found that Mr Cabalag’s assistance on the log-in problem fell within the scope of work set out in the April 2020 statement of work between the parties.

The judge found that Capgemini had breached its contractual obligations to Razer and had also been negligent in its response to Razer’s log-in problem.

As for the damages, Razer’s expert calculated that the loss of profits from Razer.com would likely stand at US$6.1 million.

Capgemini’s expert said the amount did not consider other factors that affected sales, the accuracy of forecast targets and whether lost online sales were mitigated by sales at physical stores. He noted that only 246 customers had sent e-mails about their concerns over the security incident.

Justice Lee said the evidence of 246 customer queries was sufficient to prove that the security incident had impacted the willingness of customers to purchase products from Razer.com

Join ST's Telegram channel and get the latest breaking news delivered to you.