Razer's S$10m lawsuit: IT vendor's ex-employee admits causing breach that led to customers' data leak

SINGAPORE — After maintaining his innocence for months, a former employee of info-technology firm Capgemini, the IT vendor of gaming hardware maker Razer, admitted that he caused a cybersecurity breach, which led to a months-long data leak.

This reversal in positions on Thursday (July 21) came during an ongoing civil trial, which began in the High Court here about a week ago after homegrown firm Razer sued Capgemini, a French multinational IT firm.

Razer is seeking to recover at least US$7 million (S$9.85 million) in losses — largely comprising loss of profits from its online website — from Capgemini.

Capgemini’s former technology lead, Mr Argel Cabalag, previously claimed that he did not cause the cybersecurity breach. Capgemini also claimed that it could not tell who did it.

The case first surfaced in September 2020 when an independent security researcher revealed that a leak, which emerged in June 2020, had exposed the confidential personal information of about 100,000 Razer customers.

No sensitive data such as credit card numbers or passwords were exposed. However, order details, customer and shipping information could have been leaked, the company previously told TODAY.

16-MINUTE WINDOW

Razer had engaged Capgemini as its IT solutions provider and agreed to implement the ELK Stack platform in its internal IT system.

The ELK Stack platform collects and processes large volumes of data from multiple sources, storing it in one centralised data store.

Experts appointed by both companies agreed that a security misconfiguration — security settings for the ELK Stack being manually disabled — led to the cybersecurity breach on June 18, 2020.

Razer’s independent expert, Mr Mark Whittley, found that Mr Cabalag most likely caused the security misconfiguration.

For example, during a 16-minute window when the expert said that the misconfiguration had occurred, Mr Cabalag was the only one troubleshooting the ELK Stack. He was helping Razer to resolve a log-in issue.

Razer’s lawyers pointed out that in its post-incident reports, Capgemini failed to mention that the breach occurred because of actions taken during the 16-minute window.

When Razer’s management team found out about the breach on Sept 9, 2020, Mr Cabalag resolved the issue within a day. 

Razer now contends that Capgemini breached its contractual obligations, such as ensuring that its IT systems were secure and making sure that its personnel — including Mr Cabalag — had the appropriate and adequate skill, qualifications and experience.

Razer also claims that Capgemini was liable for the breach through its negligence, having owed Razer a duty of care as the subject-matter experts in the IT field.

INSERTED '#' COMMAND

On Thursday afternoon, Mr Cabalag gave a short written statement saying that on Wednesday, he was shown copies of log entries and snapshots taken from the ELK Stack from the day of the cybersecurity breach.

This material was in Mr Whittley’s report dated June 24 this year.

Mr Cabalag wrote that he previously did not have the benefit of this material. After being  informed by Capgemini that its forensic expert has found no evidence of tampering for the log entries, he now accepts that he was responsible for the breach.

He said that he did not recall inserting a “#” command, which disabled the security settings of the Kibana application — one of the components of the ELK Stack.

It provides search, viewing, analysis and data visualisation capabilities for data stored and indexed in Elasticsearch, which forms another part of the ELK Stack.

Mr Cabalag’s move allowed unauthenticated access to the Kibana application.

Under questioning from Mr Wendell Wong, one of Razer’s lawyers, Mr Cabalag testified during the trial that he repeatedly told Capgemini’s senior director Julian Douch that he did not cause the misconfiguration.

"He asked if I did it. I said no because as far as I can remember, I just did a restart (of the Kibana and Elasticsearch applications),” Mr Cabalag said.

He added that he maintained this from September 2020, when Capgemini’s appointed expert finalised a report on the breach, to September last year when he left Capgemini.

The report by Capgemini’s expert did not contain the log entries that Mr Whittley’s report did, Mr Cabalag told the court.

When Mr Wong questioned him about whether Capgemini engaged an expert to find the probable root cause of the breach, Mr Cabalag said he heard from Mr Douch that they had reached out to a vendor to perform an analysis.

Mr Wong told the court that he will continue cross-examining Mr Cabalag on Friday, and that he will make submissions to High Court judge Lee Seiu Kin about Capgemini’s conduct.

The lawyer said that he will seek costs on an indemnity basis from Capgemini. He anticipates that the firm will try to establish that they were not in a position to confront Mr Cabalag until Wednesday.

Indemnity costs are ordinarily awarded when a party maintains proceedings that it should know have no real prospects of success.

Razer, co-founded by Singaporean Tan Min-Liang, is known for its high-end gaming gear such as laptops and keyboards. It has headquarters in both Singapore and California in the United States.

Its legal team comprises Mr Wong, Mr Andrew Chua and Ms Olivia Tan from Drew & Napier, while Capgemini is represented by Senior Counsel Andre Yeap, Mr Lionel Tan, Ms Yap Pui Yee and Ms Victoria Tan from Rajah & Tann.