Categories: Security

Casino Operator Sues IT Security Firm Over ‘Inadequate’ Breach Investigation

A Las Vegas casino operator has sued IT security firm Trustwave for what it called a “woefully inadequate” investigation following a breach of its systems, arguing Trustwave failed to notice that the attack was never fully brought to an end.

The case is one of the first to target a forensics firm in a major data breach, as the frequency and scale of such incidents grows rapidly and the companies affected search increasingly for ways to reallocate financial responsibility for them.

Data theft

Most post-breach lawsuits to date have been filed by banks and payment card companies against the organisations hit by breaches, while the US’ Federal Trade Commission (FTC) has also levied fines against companies for their data protection failures.

In the complaint, filed late last month in a Las Vegas federal court, Affinity Gaming said it hired Trustwave in October 2013 to help contain a breach that had allowed attackers to obtain the details of up to 300,000 credit cards used in restaurants, hotels and gift shops in its casinos.

In Trustwave’s January 2014 PCI forensics report, required under payment card industry security rules, the firm said it had identified the source of the breach and removed the malware involved.

Then, in April 2014, suspicious activity was identified on Affinity’s network during security testing, leading to a second forensic investigation by Trustwave competitor Mandiant.

The new investigation identified back doors installed by attackers who had access to Affinity’s virtual private network (VPN), and which had never been located in Trustwave’s investigation, according to the complaint.

Mandiant found that the attackers had carried out a further attack in December 2013, while Trustwave’s investigation was ongoing, the complaint said.

‘Renewed data breach’

“Mandiant… determined that the unauthorised access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained’,” Affinity’s attorneys wrote in the complaint.

Affinity argues that Trustwave’s inadequate investigation brought significant financial harm to the company, necessitating the expense of a second investigation, legal expenses and other costs, and is seeking at least $100,000 in damages, as well as additional punitive damages.

Trustwave said it disagrees with the claims.

“We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court,” the company told the Financial Times.

Banks sued Trustwave in 2014 alleging that the firm failed to prevent a data breach affecting retailer Target, but the action was later dropped.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago