A managed service provider (MSP) has been slapped with a lawsuit by a prominent Sacramento, California law firm alleging that it failed to protect it from a ransomware attack that took down its systems.
The lawsuit, which has generated a significant amount of chatter in the channel community, filed by the law firm Mastagni Holstedt in Sacramento Superior Court, claims that LanTech LLC, a privately-owned Sacramento company, failed to adequately protect it from the attackers.
Related Coverage: MSP Lawsuit: How MSSPs/MSPs Can Protect Themselves from Liability
MSSP Alert has reviewed the complaint in which Mastagni is seeking more than $1 million in damages. The firm employs 42 lawyers.
LanTech owner Terry Berg and backup provider Acronis, a Delaware-based provider, doing business in California, are also named as defendants in the filing. Berg has owned LanTech since its inception in 1994.
The plaintiff alleges that they were forced to pay the attackers, said in the complaint to be Black Basta, an undisclosed sum to regain access to its network. The incident occurred in February, 2023 and the lawsuit was filed last month.
Reached by telephone, a LanTech employee declined to comment and said he knew nothing about the suit. Acronis denied any responsibility for the ransomware attack.
“Our investigation revealed that access credentials may have been compromised outside of our systems and used to delete the firm’s backups and execute a ransomware attack,” the company said in a statement to the Sacramento Bee. “Acronis has not been served with the lawsuit and will not be commenting further on this litigation.”
Black Basta, a Russian-speaking group ransomware-as-a-service crew first detected in 2022, is said to have orchestrated some 300 ransomware attacks that have landed it more than $100 million in bitcoin ransom payments.
LanTech describes itself as a “team of IT engineers with a passion for delivering exceptional service to businesses in the Sacramento region. We specialize in network management and have extensive experience in analyzing, integrating, and maintaining crucial IT systems for our clients.” The MSP lists Microsoft, Dell and HP Enterprise as "partners."
"Major Outage" Sparks Lawsuit
The lawsuit claims that the plaintiff and LanTech entered into an oral agreement in which the MSP was to “provide monitoring service, advice, installation, selling cloud backup and picking and selling software and hardware” for Mastagni.
On February 24, 2023, the law firm alleged it began to experience “connectivity issues,” according to the complaint. The plaintiff subsequently notified LanTech, which said the problem had been “resolved” but did not provide any additional information about its cybersecurity risks, the lawsuit reads.
However, three days later, Mastagni was hit with a “major outage” of its systems that caused it to lose “access to its servers and data,” the lawsuit reads. Mastagni subsequently blamed a failure of LanTech’s cybersecurity protections for the ransomware infection.
“Thereafter, a ransom demand was made by a group known as Black Basta for plaintiff to recover access to its data,” the filing reads. The law firm attempted to recover its data through the Acronis backup system “but discovered that its data backup had been deleted.”
At this point, it's not clear if Black Basta exfiltrated data from Mastagni. However, a data heist might lead to liability for Mastagni, itself, which could be named in lawsuits by its clients should they be exposed to cyberattacks as a result of this event.
Cyber Lawyer's Perspective
That the parties did not enter into a written contract specifically spelling out the terms of the agreement and associated responsibilities and liabilities makes it “difficult to determine” how the lawsuit will be resolved, said Donald Geiter, an attorney specializing in cybersecurity law and policy who works with MSPs.
“What this [lawsuit] brings to light is a common thing that I see in the industry is you’ve got MSPs that know technology very well and businesses that know their business well but don’t know technology,” he said. “There’s a big difference between the delivery of technology and the delivery of cybersecurity.”
While this case might be the first of its kind it won’t be the last, Geiter said.
“The reason that there aren’t any lawsuits of this kind is that often these things are resolved by cyber insurance,” he said. "And, if a large company was the client, the MSP would likely get fired, not sued."
Advice for MSPs
Geiter advises his MSP clients to “make sure you’re all on the same page." For example, MSPs should address the following questions:
- Do you have a solid contract? What sorts of limitation of liability are enforceable under your service contracts?
- Are roles and responsibilities relative to information security clearly identified in the contract?
- Does your target customer base bring extra liability potential to the table?
- Are your customers educated on cyber liability and doing enough to protect themselves?
- What do you know (or don't know) about your subcontractors?
Along those lines, Joseph Brunsman, founder and managing member of the Brunsman Advisory Group, a cyber insurance consultancy, said that the lawsuit is the plaintiff putting their best foot forward trying to say "'oh, we are angels, we have done nothing wrong, it’s all this other guy’s fault,’” he said in a video on the lawsuit.
Brunsman advises MSPs to pay attention to the lawsuit and to some “lessons learned” from the circumstances, specifically as they pertain to contracts.
- Have an appropriate tech E&O (errors and omissions) policy and make sure you understand it.
- Contractually require your clients to carry cybersecurity insurance.
- Be proactive and push liability back to the client.
Brunsman’s advice?
- Talk to your clients about the cybersecurity risk.
- Talk to your clients about what additional, new controls are coming down the pike.
- Talk to your clients about what you’re offering; it’s not just a sales pitch, it’s also assisting you in trying to fight back against some of this liability.
- Talk to an attorney, get a limited liability clause on the books.
“If you have clients that refuse to take basic recommendations from you, then jettison those folks,” Brunsman said.