Casino Operator Sues IT Security Firm Over ‘Inadequate’ Breach Investigation

A Las Vegas casino operator has sued IT security firm Trustwave for what it called a “woefully inadequate” investigation following a breach of its systems, arguing Trustwave failed to notice that the attack was never fully brought to an end.

The case is one of the first to target a forensics firm in a major data breach, as the frequency and scale of such incidents grows rapidly and the companies affected search increasingly for ways to reallocate financial responsibility for them.

Data theft

Most post-breach lawsuits to date have been filed by banks and payment card companies against the organisations hit by breaches, while the US’ Federal Trade Commission (FTC) has also levied fines against companies for their data protection failures.

In the complaint, filed late last month in a Las Vegas federal court, Affinity Gaming said it hired Trustwave in October 2013 to help contain a breach that had allowed attackers to obtain the details of up to 300,000 credit cards used in restaurants, hotels and gift shops in its casinos.

In Trustwave’s January 2014 PCI forensics report, required under payment card industry security rules, the firm said it had identified the source of the breach and removed the malware involved.

Then, in April 2014, suspicious activity was identified on Affinity’s network during security testing, leading to a second forensic investigation by Trustwave competitor Mandiant.

The new investigation identified back doors installed by attackers who had access to Affinity’s virtual private network (VPN), and which had never been located in Trustwave’s investigation, according to the complaint.

Mandiant found that the attackers had carried out a further attack in December 2013, while Trustwave’s investigation was ongoing, the complaint said.

‘Renewed data breach’

“Mandiant… determined that the unauthorised access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained’,” Affinity’s attorneys wrote in the complaint.

Affinity argues that Trustwave’s inadequate investigation brought significant financial harm to the company, necessitating the expense of a second investigation, legal expenses and other costs, and is seeking at least $100,000 in damages, as well as additional punitive damages.

Trustwave said it disagrees with the claims.

“We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court,” the company told the Financial Times.

Banks sued Trustwave in 2014 alleging that the firm failed to prevent a data breach affecting retailer Target, but the action was later dropped.

Are you a security pro? Try our quiz!