Due to the potential ramifications of this lawsuit, CyberQP is releasing a briefing co-authored by Brian Milbier, our VP of Information Security, to inform our partners and emphasize the risks MSPs face without a robust cybersecurity program and insurance coverage.
What Happened?
In February 2023, Black Basta, a notorious Ransomware-as-a-Service group successfully breached Mastagni Holstedt, a Sacramento law firm representing public safety professionals in personal injury, disability, and employment cases. On February 26th, 2024, the law firm filed a lawsuit against their MSP (LanTech) and its owner for over $1 million USD for negligence and breach of contract.
Key Takeaways
According to the filed legal complaint, the Sacramento law firm had an oral agreement with its MSP to install a computer network, and offer monitoring, cloud backups, and offer “advice, recommendations, and monitoring services” regarding the firm’s network and cybersecurity. As part of this cybersecurity program, the MSP engaged the cybersecurity and backup vendor Acronis to secure the law firm’s environments.
On February 24th, 2023, the law firm experienced issues connecting to their network until two days later, when the MSP discovered a major outage caused by ransomware in the law firm’s environment. According to a public response from Acronis, they believe that Black Basta ransomware operators compromised the MSP’s access credentials and used them to delete Mastagni Holstedt’s backups and deploy a ransomware attack.
The lawsuit argues that the MSP was negligent since it failed to implement 2FA to secure its Acronis deployment, retain backups for at least 30 days, and failed to detect ransomware or disclose a breach in the law firm’s environment.
Why This Matters to MSPs
While previous lawsuits against CISOs in the enterprise and channel (such as the SEC’s legal complaints charging SolarWinds and its CISO with fraud and internal control failures) have created serious concerns about who will be held liable for data breaches or security incidents, Mastagni Holstedt’s lawsuit is one of the first high-profile cases to argue that an MSP’s owner or managing operator is liable for a breach.
Moreover, scenarios like these demonstrate that the risks and stakes of running an MSP have reached the point that MSPs cannot rely on oral agreements with their end users. Any operationally mature MSP looking to scale its business must clearly outline their Scope of Work and limit their liability for potential incidents in written agreements. In instances like these, MSPs, clients, and incident response or SOC partners may need a shared responsibilities matrix to outline each party’s role in securing their digital environments, and what each party is accountable for in the event of an incident.
In order to mitigate their risks, a MSP should also have cyber insurance coverage for itself, and ideally, require their client to get cyber insurance coverage, and support the customer with technology that aligns with cyber insurance requirements.
Incidents like these also demonstrate the need for MSPs to understand and document their accountability when it comes to cyber security.
Aligning with security controls like CIS help MSPs ensure complete coverage of security controls, which prescribe controls such as MFA requirements for administrative access to assets under CIS Safeguard 6.5, and a data recovery process which also includes automated backups and proper protections against credential dumping, as outlined in CIS Control 11 and T1003 under the MITRE ATT&CK framework.
Next Steps
CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:
- Work with your incident response provider and customers on a shared responsibilities matrix, and review this matrix with all clients as they’re onboarded.
- Check in with your vendors on how they comply with recommended best practices, such as CIS, or what mappings and support they provide to the MITRE ATT&CK Framework.
Thank you for reading our latest MSP Incident Insights. To receive an identity-centric threat briefing in your inbox every two weeks, you can sign up for our mailing list here.
