ACE American Insurance Co., a subsidiary of Chubb, has filed a lawsuit seeking reimbursement of $500,000 it paid after a ransomware incident involving its policyholder, CoWorx Staffing Services. The insurer argues that two technology vendors hired by CoWorx — a cloud service provider and a cybersecurity firm — were responsible for critical failures that allowed the attack to occur and escalate.

The complaint, filed in U.S. District Court for New Jersey, accuses both vendors of negligence and breach of contract.

Background on the Breach

CoWorx, a staffing company based in New Jersey with nationwide operations, suffered a ransomware attack in 2024. At the time, it held a cyber insurance policy with ACE covering damages related to network and data breaches.

To manage its IT infrastructure, CoWorx had contracted with Congruity, a Massachusetts-based cloud services firm. Congruity was tasked with providing and managing Microsoft Windows virtual machines for CoWorx’s applications. Their responsibilities included maintaining the security of host servers and implementing proper safeguards — including multi-factor authentication (MFA) for remote access. However, according to ACE, Congruity failed to implement MFA, leaving the system open to attack.

CoWorx also hired Trustwave, a cybersecurity firm based in Illinois, to monitor its systems for threats. Trustwave installed detection and response tools on CoWorx servers and analyzed the data through its own security center, providing around-the-clock network monitoring.

How the Attack Unfolded

According to the lawsuit, on April 18, 2024, hackers gained access to a CoWorx virtual machine hosted by Congruity by using stolen login credentials. Because MFA had not been enabled, the attackers were able to log in without any additional authentication.

Although the compromised account lacked administrative privileges, the attackers were able to escalate access, extract credentials, and penetrate the host network — something ACE alleges was only possible due to flaws in how Congruity configured the virtual environment. ACE contends that the architecture should have prevented such lateral movement between guest and host systems.

Four days after the intrusion, Trustwave’s monitoring software detected suspicious activity but rated the alert as “moderate” in severity. As a result, CoWorx was not notified. ACE claims this delay prevented CoWorx from backing up its data in time. Five days later, the attackers deployed ransomware, encrypting files across the system. Without backups, CoWorx had no choice but to pay for a decryption tool.

Legal Claims Against Vendors

ACE, having paid the $500,000 claim under its cyber insurance policy, is now pursuing damages from Congruity and Trustwave. The insurer is alleging:

• Negligence and gross negligence

• Breach of contract

• Breach of implied warranty

Congruity is being blamed for failing to enforce MFA and for improperly setting up a network structure that allowed attackers to gain elevated access and reach the host environment.

Trustwave is accused of mishandling the breach by underestimating its severity and failing to alert CoWorx promptly, thus preventing any chance to mitigate the damage.

ACE is requesting reimbursement of the full $500,000 payout, in addition to interest, legal expenses, and court costs.