Razer sues IT vendor over data leak, says security breach caused US$7m in losses

100,000 Razer customers worldwide had their shipping information and order details leaked. ST PHOTO: CHONG JUN LIANG

SINGAPORE - Home-grown gaming hardware company Razer has sued an IT vendor for allegedly causing a widely reported cyber-security breach in 2020 that resulted in a leak of its customer and sales data.

In a case that opened in the High Court on Wednesday (July 13), Razer said the breach caused the company to suffer at least US$7 million (S$9.84 million) in losses.

It includes a significant loss of profits, costs incurred in investigating and responding to the incident and costs incurred by corresponding and dealing with regulators.

Razer is seeking to recover the losses from Capgemini, alleging that one of the defendant's employees was the culprit who caused the security breach when he misconfigured and disabled the security settings of a computer server.

Razer's lawyer, Mr Wendell Wong of Drew and Napier, said in his opening statement that its expert ascertained that the security misconfiguration occurred during a 16-minute window on June 18, 2020.

Mr Wong added that experts agreed that the misconfiguration was caused by someone who had accessed the configuration file of a server and disabled the line of code relating to the security settings.

Between June 18, 2020 and Sept 10, 2020, data stored in the computer system was leaked to the public, he said.

The Straits Times reported then that breach was discovered by cyber-security consultant Volodymyr Diachenko, who estimated that 100,000 customers worldwide had their shipping information and order details leaked.

The customers' credit card numbers and passwords were safe, Razer had said then.

On Wednesday, Mr Wong said Capgemini "has refused and continues to refuse to take an ounce of responsibility for the cyber-security breach".

In its defence, Capgemini said its employee did not cause the misconfiguration and suggested that presence of new IP addresses set up by Razer could have been the cause.

Capgemini also alleged that Razer failed to mitigate its losses by not taking steps after it became aware of the security breach in August 2020 through its support channel.

In the lawsuit, which was filed in 2020, Razer said it engaged Capgemini as its IT consultant in March 2019 to upgrade its digital commerce platform.

Capgemini later recommended that Razer install and use the ELK Stack system, comprising a search and analytics engine, a data processing pipeline and a data visualisation application.

Razer said that on June 17 or June 18, 2020, Capgemini employee Argel Cabalag was tasked to do troubleshooting, as Razer staff could not log in to the system.

Razer said Mr Cabalag was the only one who accessed the server during the 16-minute window and was also the only one with access who knew how to modify the configuration file.

When Razer's management team learnt about the cyber-security breach and activated Mr Cabalag, he was able to resolve the issue within a day, said Mr Wong.

Razer denied that it had failed to mitigate its losses and said its management team became aware of the breach on Sept 9, 2020.

"Razer did its best to respond to the cyber-security breach as soon as the correct decision-makers in the company were made aware of the same," said Mr Wong.

The trial continues.

Join ST's Telegram channel and get the latest breaking news delivered to you.