ACE American Insurance Co., a subsidiary of Chubb, has filed a lawsuit aiming to recoup $500,000 it paid to a staffing agency following a ransomware attack. The insurer alleges that two technology service providers—one focused on cloud infrastructure and the other on cybersecurity—were negligent and should bear financial responsibility for the breach and resulting losses.

ACE provided cyber liability insurance to CoWorx Staffing Services, a New Jersey-based company with operations across all 50 states. The ransomware attack in question occurred in 2024 and targeted CoWorx’s digital systems and data.

Tech Vendors Under Scrutiny

CoWorx had partnered with Congruity, a Massachusetts-based cloud solutions firm, to supply and manage Microsoft Windows-based virtual machines used to run web applications. As part of its contractual obligations, Congruity was tasked with maintaining the security of the host servers and network infrastructure, including implementing critical safeguards such as multi-factor authentication (MFA) for remote access. However, according to ACE’s legal complaint, Congruity failed to deploy or enforce MFA, leaving systems vulnerable to unauthorized access.

Separately, CoWorx retained Illinois-based cybersecurity firm Trustwave to monitor its Microsoft Windows endpoints—including virtual machines hosted by Congruity. Trustwave’s role was to detect and respond to threats via monitoring software that sent system logs and alerts to its security operations center.

Timeline of the Breach

ACE’s complaint outlines a series of events beginning on April 18, 2024, when threat actors accessed a Windows virtual machine within the Congruity infrastructure using a stolen password associated with a CoWorx account. Because MFA was not in place, the attackers were able to log in without requiring any further authentication.

The compromised user account reportedly lacked administrative rights on both guest and host servers. Despite that, the attackers successfully escalated their privileges, extracted credentials from system memory, and ultimately gained access to the host server—an outcome ACE argues indicates poor network architecture by Congruity. According to the insurer, the security framework should have prevented any user from bridging the guest and host environments.

Four days later, Trustwave’s monitoring tools detected suspicious activity but classified the incident as only “moderate” in severity. As a result, CoWorx was not alerted. ACE contends that this misjudgment cost CoWorx a critical opportunity to respond, investigate, and back up its data before the situation escalated. Five days after the initial intrusion, ransomware was deployed, encrypting files across the host network. With no viable backups, CoWorx was forced to pay for a decryption key to restore access to its systems.

Allegations of Negligence and Contract Breaches

ACE ultimately covered the $500,000 ransom and related expenses under its cyber insurance policy with CoWorx. The insurer is now suing both Congruity and Trustwave in U.S. District Court for the District of New Jersey, claiming:

• Negligence and gross negligence

• Breach of contract

• Breach of implied warranty

Congruity is being held accountable for allegedly failing to enforce MFA and for setting up a network environment that allowed attackers to move laterally from guest machines to host infrastructure—actions that directly enabled the ransomware deployment.

Trustwave, on the other hand, is accused of misclassifying the breach severity and failing to promptly notify CoWorx. ACE argues that if CoWorx had been alerted in time, it could have taken steps to back up its data and potentially avoided paying the ransom altogether.

The insurer is seeking to recover the full $500,000 payout, along with interest, legal fees, and associated costs.