Gaming firm Razer sues IT vendor for nearly S$10 million in losses over leak of customers’ data

SINGAPORE: Gaming hardware maker Razer has sued a vendor over a cybersecurity breach that led to confidential data of its customers and sales being leaked to the public.

The data leak, which took place over three months from June to September 2020, made headlines when a security researcher revealed that the personal information of about 100,000 Razer customers could have been exposed.

Razer is claiming at least US$7 million (S$9.85 million) in losses from the vendor, French multinational info-technology company Capgemini.

A civil trial over the case began on Wednesday (Jul 13) in the High Court.

Razer, which was co-founded by Singaporean Tan Min-Liang, previously told TODAY that no sensitive data such as credit card numbers or passwords were exposed. Order details, customer and shipping information could have been leaked, the company said then.

Razer is known for its high-end gaming gear such as laptops and keyboards. It has headquarters in both Singapore and California in the United States.

"PLAYED A GAME"

In their opening statement, Razer’s lawyers from Drew & Napier said that Capgemini “played a game of smoke and mirrors and engaged in a myriad of blame-shifting actions”, denying all legal liability for the breach.

Razer contends that one of Capgemini’s employees, Mr Argel Cabalag, had caused the cybersecurity breach when an issue cropped up in Razer’s internal IT system.

Capgemini had recommended the ELK Stack platform to Razer. It collects and processes large volumes of data from multiple sources, storing it in one centralised data store.

Razer’s lawyers said that the company had engaged Capgemini as a “trusted and valued partner” to provide IT solutions. On Capgemini’s recommendation, Razer then agreed to implement the ELK Stack in its IT system, with Capgemini helping the firm to set up and configure the system.

Razer also contracted Capgemini’s personnel to be deployed on-site in its offices and act as go-to experts on the subject matter.

Razer’s lawyers said that due to a security misconfiguration in the ELK Stack, Razer “can and should be able to expect Capgemini to do the right thing by Razer and to be forthcoming with Razer about what went wrong”.

On Jun 17 and 18 in 2020, Mr Cabalag investigated an issue with Razer’s ELK Stack. Razer’s employees could not log in and resolve the issue themselves.

Experts appointed by both companies agreed that the cybersecurity breach on Jun 18 was caused by a security misconfiguration — security settings for the ELK Stack being manually disabled — that same day.

The experts also disagreed with Capgemini’s defence that new Internet provider (IP) addresses set up by Razer could have led to the breach.

Razer’s independent expert said it was most likely that Mr Cabalag caused the security misconfiguration, given the events that occurred.

For example, during a 16-minute window when the expert said the misconfiguration had occurred, Mr Cabalag was the only one troubleshooting the ELK Stack.

He was also the only one with the knowledge and expertise to access and make changes to a configuration file in Razer’s server, and had reported to the Razer team that everything was fine shortly after the 16-minute window.

Razer’s lawyers pointed out that in its post-incident reports, Capgemini had failed to mention that the breach occurred because of actions taken during that window.

When Razer’s management team found out about the breach on Sep 9 in 2020, Mr Cabalag resolved the issue within a day. However, he claimed that he did not cause the breach and Capgemini also claimed that it could not tell who did it.

“Razer understands that Capgemini wants to dig in and ditch Razer at this altar of liability due to reputational issues. However, Capgemini was engaged for the job and was paid in full for it.

“Capgemini should therefore do the right thing by its customer – stand up and take responsibility.”

Razer contended that Capgemini had breached its contractual obligations, such as ensuring that its IT systems were secure and making sure that its personnel — including Mr Cabalag — had the appropriate and adequate skill, qualifications and experience.

Razer also claimed that Capgemini was liable for the breach through its negligence, having owed Razer a duty of care as the subject-matter experts in the IT field.

LOSSES TO BE ASSESSED

The gaming firm is claiming the following in losses:

• Around US$6.85 million in loss of profits from its online website
• S$50,000 for management and employees’ time and expenses
• US$60,000 for engaging a forensic investigator
• S$223,000 for hiring law firm Norton Rose Fulbright to advise and act for Razer in responding to regulators worldwide
• US$2,000 in compensation to the security researcher who discovered the leak, under Razer’s bug bounty programme
• An unquantified sum for loss of profits from its digital bank licence application being rejected

Razer said that the cybersecurity breach was widely reported in mainstream and online media, causing a “wide array of losses” of “upwards of US$7 million at the very least”.

The company also seeks a declaration that Capgemini pays full compensation for all damages, losses and expenses incurred and which Razer may incur as a result of the breach.

On Wednesday, Razer's chief of staff Patricia Liu took the witness stand as the first plaintiff witness. She was also the firm's data protection officer when the data leak happened.

The trial is set to continue for the rest of the week before Justice Lee Seiu Kin.

Razer’s legal team comprises Mr Wendell Wong, Mr Andrew Chua and Ms Olivia Tan from Drew & Napier, while Capgemini is represented by Senior Counsel Andre Yeap, Mr Lionel Tan and Ms Yap Pui Yee from Rajah & Tann.

This story was originally published in TODAY.