Admission of culpability leads to early end in trial of Razer's S$10m claim against IT vendor over data leak

SINGAPORE — A civil trial between gaming hardware maker Razer and its information technology (IT) vendor over a cybersecurity breach, which led to the mass leak of Razer customers’ data, came to an early end on Friday (July 22).

A former employee of the vendor, French multinational firm Capgemini, had conceded in his evidence on Thursday afternoon that he was the one who caused the breach, which happened on June 15, 2020.

Before this, Mr Argel Cabalag consistently denied his culpability, but capitulated when he was shown material from a report prepared by Razer’s independent expert.

Razer is suing Capgemini for at least US$7 million (S$9.85 million) in losses, largely comprising loss of profits from its online website.

The trial began in the High Court on Wednesday last week and was set to continue until next week, but Mr Cabalag’s concession meant that more forensic experts, who were set to testify as to who had caused the breach, did not need to appear.

Friday’s hearing ended with Mr Cabalag being further questioned by lawyers representing Razer and Capgemini.

Justice Lee Seiu Kin then directed both parties to file closing submissions, after which he will rule on whether Capgemini is liable to pay damages.

The case first surfaced in September 2020 when an independent security researcher revealed that a leak had exposed the confidential personal information of about 100,000 Razer customers.

No sensitive data such as credit card numbers or passwords were exposed. However, order details, customer and shipping information could have been leaked, the company previously said.

Razer had engaged Capgemini as its IT solutions provider and agreed to implement the ELK Stack platform in its internal IT system.

The ELK Stack platform collects and processes large volumes of data from multiple sources, storing it in one centralised data store.

Experts appointed by both companies agreed that a security misconfiguration — security settings for the ELK Stack being manually disabled — led to the cybersecurity breach on June 18, 2020.

Mr Cabalag then admitted on Thursday that he was responsible for the breach. The day before, he had viewed copies of log entries and snapshots taken from the ELK Stack from the day of the breach.

Capgemini also informed him that its forensic expert found no evidence of tampering for these log entries.

The report by Capgemini’s expert did not contain the log entries that the report prepared by Razer’s expert did, Mr Cabalag told the court.

He said that he did not recall inserting a “#” command, which disabled the security settings of the Kibana application — one of the components of the ELK Stack.

It provides search, viewing, analysis and data visualisation capabilities for data stored and indexed in Elasticsearch, which forms another part of the ELK Stack.

Mr Cabalag’s move allowed unauthenticated access to the Kibana application.

Razer contends that Capgemini breached its contractual obligations, such as ensuring that its IT systems were secure and making sure that its personnel — including Mr Cabalag — had the appropriate and adequate skill, qualifications and experience.

Razer also claims that Capgemini was liable for the breach through its negligence, having owed Razer a duty of care as the subject-matter experts in the IT field.