IT company is not responsible for consequences of ransomware

The ICT company PS Logic from Berkel en Rodenrijs is not responsible for the consequences of the ransomware attack that hit the Zabawas Foundation last year. The foundation’s lawyer believed that it was pointless to have an expert examination carried out because his client no longer works with the IT environment at the time. As a result, the court cannot determine whether PS Logic has failed in this case.

This is stated in the final judgment of the court in Rotterdam.

Only old backup available

In 2013, the Zabawas Foundation entered into an ‘all-inclusive ICT administration’ contract with PS Logic. In it, it was agreed that the ICT company should undertake to “proactively manage, maintain and monitor the ICT infrastructure, 24/7 monitoring of service, backups and networks, possible reinstallation of workstations, networks, servers and printers”. The employment agreement involved four computers, a server and a printer. The fund paid a monthly amount of 130 euros (excluding VAT) for these services.

In April 2018, one of Zabawas’ systems became infected with ransomware: ransomware, which hackers, so to speak, put all digital files under lock and key. The operations were temporarily suspended due to the pollution. During the restoration work, it turned out that only a backup from July 2017 was available. As a result, the fund lost a lot of data.

‘Vulnerabilities arise from rookie errors’

Following the incident, the foundation examined its IT environment. Security specialists from Baaten Security concluded that many beginner mistakes had been made. “Various vulnerabilities (deviations from the standard) arise as a result of beginner errors, carelessness and unwise design choices that a ‘normal and reasonably acting’ ICT provider (large or small) must not make despite lack of security agreements.”

According to security researchers, the ransomware was probably installed via TeamViewer. However, due to limited logging information, this could not be determined with certainty. The agency said it was only a matter of time before the fund was attacked “given the current state of the ICT environment”. “The level of digital resilience is too low to talk about an appropriate and market-based level of information security,” says Baaten Security.

The court requests an examination carried out by an independent expert

One week after the attack, the Zabawas Foundation held the ICT service provider from Berkel en Rodenrijs responsible for the consequences of the ransomware attack. The latter party refused to admit liability. The fund then went to court and demanded compensation of more than 20,000 euros.

The court in Rotterdam said in a preliminary ruling in August last year that it could not answer the question of whether PS Logic had been negligent. The judge suggested appointing an independent expert to map the circumstances of the service at the time of the ransomware attack.

The court finds against foundation and must pay legal costs

The Zabawa Foundation did not think it was a good idea. Initially because the foundation no longer worked with the old ICT environment, so the expert’s research should not yield results. Second, the fund found that it had already been established that the ICT company had not fulfilled its contractual obligations.

The court respects the fund’s view. By rejecting an independent expert’s examination, the judge has no choice but to reject the claim of more than 20,000 euros. “Where Zabawas states that it presupposes that the question will be changed if the court would still need expert information ‘despite the foregoing’, Zabawas misunderstands that there is no need for information, regardless of whether the court has need or not. information, but the possibility of having an expert report issued is proof that Zabawas may or may not use, ”the judge wrote in the judgment.

The court wants the fund to reimburse the legal costs incurred. These amount to 4,244 euros.

Leave a Comment