Categories: Security

Casino Operator Sues IT Security Firm Over ‘Inadequate’ Breach Investigation

A Las Vegas casino operator has sued IT security firm Trustwave for what it called a “woefully inadequate” investigation following a breach of its systems, arguing Trustwave failed to notice that the attack was never fully brought to an end.

The case is one of the first to target a forensics firm in a major data breach, as the frequency and scale of such incidents grows rapidly and the companies affected search increasingly for ways to reallocate financial responsibility for them.

Data theft

Most post-breach lawsuits to date have been filed by banks and payment card companies against the organisations hit by breaches, while the US’ Federal Trade Commission (FTC) has also levied fines against companies for their data protection failures.

In the complaint, filed late last month in a Las Vegas federal court, Affinity Gaming said it hired Trustwave in October 2013 to help contain a breach that had allowed attackers to obtain the details of up to 300,000 credit cards used in restaurants, hotels and gift shops in its casinos.

In Trustwave’s January 2014 PCI forensics report, required under payment card industry security rules, the firm said it had identified the source of the breach and removed the malware involved.

Then, in April 2014, suspicious activity was identified on Affinity’s network during security testing, leading to a second forensic investigation by Trustwave competitor Mandiant.

The new investigation identified back doors installed by attackers who had access to Affinity’s virtual private network (VPN), and which had never been located in Trustwave’s investigation, according to the complaint.

Mandiant found that the attackers had carried out a further attack in December 2013, while Trustwave’s investigation was ongoing, the complaint said.

‘Renewed data breach’

“Mandiant… determined that the unauthorised access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained’,” Affinity’s attorneys wrote in the complaint.

Affinity argues that Trustwave’s inadequate investigation brought significant financial harm to the company, necessitating the expense of a second investigation, legal expenses and other costs, and is seeking at least $100,000 in damages, as well as additional punitive damages.

Trustwave said it disagrees with the claims.

“We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court,” the company told the Financial Times.

Banks sued Trustwave in 2014 alleging that the firm failed to prevent a data breach affecting retailer Target, but the action was later dropped.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago