Affinity Gaming, a casino operator operating five casinos in Nevada, and six in other locations in the US, has sued the It security company Trustwave for a “bad” investigation, after a network breach it suffered. Affinity Gaming, has questioned the way Trustwave conducted their investigation, where they failed to block the intrusion that resulted in the theft of credit card data, and for letting the thieves to maintain their foothold even during the period Trustwave was doing its investigation.
This is relevant news because this is one of the first cases where a client sued a cyber security firm for lack of quality in its investigation. The lawsuit was filed in the US District Court in Nevada.
The casino operator hired the security firm at the end of 2013, to assess and clean up its computers.
The cyber criminals were able to get more than 300.000 credit cards belonging to all the clients of the Affinity Gaming company.
At the time, the report made by Trustwave in January 2014 indicated that the source of the data breach has been identified, and the malware responsible for the breach was found and contained.
The problem was that a year later, the casino operator got a second breach, where more payment cards were stolen, a circumstance that raised suspicious from Affinity Gaming side.
To investigate the second incident, the Affinity Gaming hired Mandiant, the experts of the firm discovered that the malware detected by Trustwave wasn’t fully removed.
The lawsuit filed in the December 2015 claims:
“Hiring a firm with the proper data breach response expertise, such as Trustwave held itself out to be, was of paramount importance for Affinity Gaming…Affinity isn’t an IT security firm and lacks the level of expertise.”
“With respect to the apparent data breach, Affinity Gaming was wholly dependent on and subordinate in terms of its understanding, knowledge, and capabilities, to Trustwave, relying on [it] to diagnose, investigate, and prescribe appropriate measures to address.”
“Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave…failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.”
The casino operator is demanding an amount of $100,000 in damages to Trustwave.
On the other side, Trustwave’ spokesperson told to the Financial Times that nothing they have conducted the investigation in the correct way.
“We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Affinity Gaming, data breach)