ACE American Insurance Co. has filed a lawsuit to recoup the $500,000 it paid after a ransomware attack on a staffing company, arguing that the cloud-computing and cybersecurity firms hired by its policyholder—not the insurer—should be held liable for the loss due to their alleged negligence.
The insurer contends that the two technology firms bear responsibility for critical lapses that enabled the ransomware attack and for post-incident missteps that deepened the damage.
ACE, a subsidiary of Chubb, issued cyber insurance coverage to New Jersey–based CoWorx Staffing Services in 2024, when the company’s computer network and data were hit by a ransomware attack.
CoWorx, which operates nationwide, contracted Massachusetts-based cloud services provider Congruity to supply Microsoft Windows virtual machines for its web applications. Under the agreement, Congruity was tasked with provisioning new virtual machines as needed and securing the host servers and network infrastructure. The company was also responsible for implementing safeguards to protect CoWorx’s IT systems and data, including remote access controls such as multi-factor authentication (MFA). Yet, ACE’s complaint alleges that Congruity failed to implement or enforce MFA for network logins.
CoWorx was responsible for securing its network at the guest virtual machine level and enlisted Illinois-based cybersecurity firm Trustwave to handle the job. Trustwave monitored all Microsoft Windows endpoints, including guest-level machines hosted at Congruity’s co-location facility, installing detection and response software on CoWorx’s servers and feeding logs and other data to its security center for around-the-clock network surveillance.
What Happened
The complaint outlines a detailed timeline of events, highlighting the alleged failures that ACE claims impacted its insured and culminated in the $500,000 payout.
On April 18, 2024, cyber intruders logged into a Microsoft Windows virtual machine within Congruity’s infrastructure using a stolen CoWorx user password. ACE asserts that if Congruity had enabled multi-factor authentication (MFA), the server would have required an additional verification step, blocking the unauthorized entry. Because MFA was absent, the attackers gained access with the compromised password alone.
Although the compromised CoWorx account lacked administrative access to any Congruity server—guest or host—the attackers still managed to escalate privileges, extract credentials from memory, and breach the host server. ACE contends this demonstrates a critical misconfiguration of Congruity’s server environment, arguing that no user should have been able to move from the guest network to the host network.
Four days after the initial breach, Trustwave’s software detected a security incident but classified it only as “moderate” rather than “high” or “critical.” As a result, Trustwave did not notify CoWorx of the intrusion, which ACE says “robbed CoWorx of the opportunity to investigate the incident and backup its files.” Five days later, the attackers encrypted the virtual machines at the host network level and deployed ransomware, forcing CoWorx to purchase a decryptor due to the lack of backups. According to the complaint, had Trustwave properly flagged the event as “high” or “critical” and alerted CoWorx, the company could have secured its compromised data.
Negligence and Breach Charges
Under its cyber insurance policy with CoWorx, ACE was compelled to pay $500,000 to cover the damages resulting from the breach and the subsequent decryption costs.
The lawsuit accuses both Congruity and Trustwave of negligence, gross negligence, breach of contract, and violation of implied warranties.
Congruity is alleged to have misconfigured both host and guest networks and neglected to enforce MFA, which ACE claims enabled attackers to enter the guest network using only a compromised CoWorx password, escalate privileges, penetrate the host network, and ultimately encrypt CoWorx’s data while deploying ransomware.
