So it starts….with literally billions of dollars lost through cryptocurrency frauds and security breaches, it was only a matter of time before we started seeing a wave of litigation. On Monday, a case was brought in the United States District Court, Southern District of New York, by IRA Financial Trust against Gemini Trust Company under multiple civil law causes of action. These causes of action have been around for hundreds of years, even though the subject matter is still in its infancy. But this one stands out, as cybersecurity advertising prior to a security breach was specifically mentioned in the lawsuit.
The Lawsuit Players
IRA is a regulated South Dakota trust company who essentially manages trust accounts for customers as the extent of their business. Trust companies know the assets that can and cannot be put in trust accounts and what type of accounts (such as retirements) can be held in trust. As a practice, they do not control the assets nor do trust companies give financial advice or sell investments. Gemini is a New York company that operates a cryptocurrency exchange where customers buy and sell those assets. Companies like Gemini are often referred by companies such as IRA to their customers as someone that provides the custody and transaction part of asset management of a trust.
The cyber breach
The complaint, which numbers thirty-four pages, spends at least six of them on Gemini’s advertising of services and security in 2019 (The Wayback Machine is a powerful weapon), to include making the actual ad part of the complaint. It focuses on claims such as “we set the standards for crypto cybersecurity”, “deeply committed to employing cybersecurity best practices”, and “the majority of your cryptocurrency is held in our office offline” (using the term Cold Storage which is essentially air gapping, for those that deal with classified material).
Without getting too technical, the problems allegedly arose when Gemini’s customer load exceeded the capacity of the storage accounts and thus caused Gemini to deviate (again allegedly) from standard practices and use an Advanced Programming Interface (API) that that allows IRA and Gemini customers to trade crypto with the open market and each other but only with the use of encrypted API keys.
Predictably, an individual (John Doe) pretended to be a real IRA customer and was able to log in and transfer cryptocurrency from other customer accounts to Doe’s account. IRA alleges the individual was able to do that because of a “single point of failure” (the API key) in the new software interface. Interestingly, Gemini sent emails to their IRA customers, blaming IRA for losing control of the API interface keys. The complaint alleges the standard causes of action one sees in a security breach case, such as negligence, fraud, breach of contract and violation of state law. Essentially, what we have is a not adhering to original promised standards by Gemini vs. negligent control of a necessary system entrusted to IRA and its customers. Something tells me this lawsuit was filed in anticipation of incoming customer litigation as a way to get ahead of the blame train.
People Behind the Technology
Just like anything else that touches the internet, cryptocurrency for all of its safeguards, is not immune from compromise. Whether it be not discovering a flaw in the software, using a different system or method than advertised, or negligent control of security keys, humans drive all of those acts and remain the one constant in cybersecurity incidents of all types.