Court Rulings Shape Subrogation Rights in Cybersecurity Breaches: Key Cases Define Vendor Liability Two recent court decisions Axis Insurance Company v. Barracuda Networks, Inc. (2025) and Travelers Casualty and Surety Company of America v. Blackbaud, Inc. (2026) have clarified the limits of insurers’ subrogation rights against vendors following data breaches, with outcomes hinging on contractual relationships and legal standing. ### Axis v. Barracuda: No Privity, No Subrogation In Axis v. Barracuda, the U.S. First Circuit Court of Appeals ruled on November 20, 2025, that insurer Axis could not pursue subrogation against Barracuda Networks after a breach exposed Zoll Medical Corporation’s customer data. The case stemmed from a 2023 incident where Barracuda’s email archiving service, used by Zoll’s vendor Fusion LLC, was compromised. Zoll settled a class-action lawsuit from affected customers and sought recovery from Fusion and Barracuda. The court rejected Axis’s equitable indemnification claim, finding no direct or vicarious contractual relationship between Zoll and Barracuda only a chain of independent contracts (Zoll-Fusion, Fusion-Barracuda). Without privity, the court ruled that equitable indemnification, a narrow remedy, could not reallocate risk post-breach. The First Circuit also dismissed Axis’s breach-of-contract claim, affirming that Fusion failed to meet a contractual condition precedent (a liability-limiting provision) and that Barracuda’s lack of audit obligations did not waive this defense. Similarly, Axis’s claim for breach of the covenant of good faith failed, as Fusion had not negotiated protections for breach scenarios. ### Travelers v. Blackbaud: Direct Contracts Enable Subrogation In contrast, the Delaware Supreme Court ruled on February 13, 2026, in Travelers v. Blackbaud that insurers could proceed with subrogation claims against the software provider. Blackbaud, which provided donor management services to nonprofits, suffered a 2020 ransomware attack but offered clients only a self-remediation "toolkit" instead of direct support. Insurers, including Travelers, covered their policyholders’ incident response costs (legal fees, notifications, credit monitoring) and sued Blackbaud for recovery. The lower court dismissed the case, citing insufficiently pleaded aggregate claims under New York law. However, the Delaware Supreme Court overturned the decision, finding that the insurers had adequately alleged breach of contract. Unlike Axis, the insureds had direct contracts with Blackbaud, giving insurers standing to pursue subrogation. The court emphasized that Blackbaud could address individual claims through discovery, and that foreseeable breach-related costs (e.g., remediation expenses) constituted recoverable damages. ### Key Takeaways: Contracts Determine Liability The rulings underscore a critical distinction: subrogation claims against vendors require a direct contractual relationship between the insured and the breached party. In Axis, the lack of privity doomed the claim, while Travelers succeeded because the insureds’ contracts with Blackbaud established clear liability pathways. Both decisions reinforce that: - Equitable indemnification is unavailable without a direct or derivative contractual link. - Breach-of-contract claims hinge on compliance with contractual terms, including conditions precedent. - Aggregate subrogation may proceed if insurers plead sufficient facts, as seen in Travelers. The cases signal that cyber insurers and policyholders must scrutinize vendor contracts for liability clauses, indemnification rights, and subrogation waivers to mitigate exposure in breach scenarios.

Cybercriminals Exploit Firewalls as Ransomware Entry Points in Alarming New Trend A recent study by Barracuda Networks reveals that cybercriminals are increasingly targeting firewalls traditionally a core defense mechanism to launch ransomware attacks. Rather than bypassing perimeter security, attackers are compromising it directly by exploiting misconfigurations, outdated firmware, or unpatched vulnerabilities. The Barracuda Managed XDR Global Threat Report highlights the speed and efficiency of these attacks. In cases involving Akira ransomware, threat actors escalated breaches into full-system encryption in as little as three hours, drastically reducing the window for detection and response. Many exploited vulnerabilities are years old, with some dating back to 2013, demonstrating that unpatched legacy systems remain a critical risk. Firewall exploitation is often just one phase of a multi-stage attack. Cybercriminals frequently combine software flaws with stolen credentials from phishing campaigns, moving laterally across networks, escalating privileges, and disabling security controls before deploying ransomware. The findings are based on an extensive dataset, including over two trillion IT events from 2025, 600,000 security alerts, and 300,000 secured endpoints, firewalls, and cloud assets. The research underscores how systematic and widespread these attack patterns have become, proving that even foundational security tools can become liabilities if not properly maintained.

New .NET Framework Vulnerability "SOAPwn" Exposes Enterprises to Remote Code Execution Risks Security researchers at WatchTowr Labs have uncovered a critical vulnerability in the .NET Framework, dubbed "SOAPwn", which enables remote code execution (RCE) through an invalid cast flaw in serialization processes. The vulnerability poses a severe threat to enterprise infrastructure, with known impacts on applications such as Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. However, due to the widespread use of .NET in enterprise environments, the risk extends across multiple industries. The flaw stems from improper type handling during .NET serialization, allowing attackers to execute arbitrary code on vulnerable systems. Successful exploitation could lead to full system compromise, exposing sensitive data and disrupting critical operations. Organizations using affected applications are urged to monitor vendor advisories and apply patches immediately. Additional mitigation strategies include code audits, network segmentation, and enhanced security monitoring via IDS and SIEM tools. The discovery underscores the need for proactive vulnerability management and collaboration with security researchers to address emerging threats.

Ransomware Resurgence: Barracuda Report Reveals Alarming Trends at Black Hat USA 2025 At Black Hat USA 2025, Barracuda Networks unveiled a stark report on ransomware’s evolving threat landscape, revealing that 31% of victims were attacked multiple times in the past year a trend driven by fragmented security defenses and persistent gaps in protection. The findings, based on a survey of 2,000 IT and security decision-makers across North America, Europe, and Asia-Pacific, paint a troubling picture of modern cyber threats. Key takeaways from the report include: - 57% of organizations suffered a successful ransomware attack in the last 12 months. - 71% of those hit by email breaches were also targeted by ransomware, underscoring email as a primary attack vector. - Only 32% of victims paid a ransom, and just half of those recovered all their data. - Fragmented security tools and insufficient coverage in critical areas particularly email security left organizations vulnerable to repeat attacks. Adam Khan, Barracuda’s VP of global security operations, highlighted that less than half of ransomware victims had implemented email security solutions, despite email being a leading entry point. The report also noted that ransomware attacks are now multi-dimensional, combining data encryption, theft, and secondary payloads for maximum disruption. Beyond financial losses, attacks inflicted reputational damage (41%), lost business opportunities (25%), and pressure on partners and employees (22%), signaling a shift toward broader operational and psychological impact. --- Sophos and Rubrik Partner to Strengthen Microsoft 365 Resilience In a separate announcement, Rubrik and Sophos unveiled a strategic partnership to deliver the first MDR-optimized Microsoft 365 backup and recovery solution, integrated into Sophos Central. The offering aims to combat ransomware, account compromise, and data loss across SharePoint, Exchange, OneDrive, and Teams by unifying threat detection and recovery in a single workflow. Raja Patel, Sophos’ chief product officer, emphasized the solution’s ability to simplify operations for partners, enabling automated recovery triggered by MDR alerts and creating new revenue streams. Rubrik CEO Bipul Sinha noted the partnership’s focus on AI-driven threats, stressing the need for rapid recovery capabilities in an era of sophisticated breaches. --- Darktrace’s 2025 Mid-Year Retrospective: AI-Powered Threats and SaaS Exploitation Darktrace’s retrospective of H1 2025 highlighted the growing use of AI by threat actors, including highly convincing phishing emails and automated campaigns at unprecedented scale. The report also flagged SaaS exploitation as a critical concern, citing lack of visibility and business-level controls in cloud environments. Nathaniel Jones, Darktrace’s VP of security and AI strategy, warned that user vigilance alone is insufficient, advocating for AI-driven defense systems to counter advanced threats like Blind Eagle. While law enforcement collaborations such as the takedown of Lumma Stealer show progress, the report cautioned that new threats will continue to emerge, with AI adoption expected to expand into deepfakes, malware development, and tooling. --- Additional Black Hat Announcements Other notable developments included: - Arctic Wolf, Flashpoint, and Cyera unveiling new threat intelligence and data security initiatives. - Industry-wide discussions on AI’s dual role in both offensive and defensive cyber operations.

In 2018, Barracuda Networks, Inc. experienced a data breach that exposed protected health information (PHI) of patients belonging to Zoll Services LLC, a subsidiary of Zoll Medical Corporation. The breach occurred due to vulnerabilities in Barracuda’s email archiving services, which were resold to Zoll via a third-party vendor, Fusion, LLC. The exposed PHI included sensitive patient data, leading to a class-action lawsuit against Zoll. While Zoll settled with affected customers, the legal dispute extended to Barracuda, with Axis Insurance Company (acting as Zoll’s assignee and Fusion’s subrogee) filing tort and contract claims. The court ultimately ruled in favor of Barracuda, dismissing claims of equitable indemnification, breach of contract, and breach of the covenant of good faith and fair dealing due to lack of evidence proving derivative liability or contractual obligations. The breach highlighted gaps in third-party risk management and HIPAA compliance, particularly regarding subcontractor safeguards for PHI.