US casino Affinity Gaming has sued security firm TrustWave, accusing it of lying when telling the casino it had “contained” a data breach.
Affinity Gaming filed its claim in a Las Vegas federal court last week, seeking damages for a breach that occurred after it hired TrustWave in 2013 to investigate an earlier breach.
The casino claimed it was assured by TrustWave the threat had been “contained” but later discovered was not, forcing it to hire security consultancy, Mandiant, which has since been acquired by FireEye.
The casino claims that it has suffered financial losses and attracted scrutiny from gaming and consumer regulators due to breach, which it blames on alleged misrepresentations by TrustWave.
TrustWave is owned by Optus’ parent, Singapore headquartered Singtel, however the disputed transactions occurred prior to its $810m acquisition of TrustWave last year.
Affinity Gaming is attempting to shift liability for the breach on to TrustWave after filing a claim over the breach on its cyber insurer, which had listed TrustWave on its panel of Payment Card Industry data forensics investigators.
The casino argued that while it did take measures to ensure its IT systems were secure, it lacked the knowledge of a specialist IT security firm like TrustWave and thus claimed it was “wholly depend on, and subordinate in terms of its knowledge, understanding, and capabilities, to Trustwave”, relying on it to “prescribe appropriate measures” it should take in response to the earlier breach.
The casino says its initial breach was discovered after local police contacted it regarding credit card fraud and suggested its computer network may have been compromised. Affinity Gaming accused TrustWave of delivering a “woefully inadequate” investigation and report.
It claimed that during a two month engagement TrustWave only inspected 10 servers, physical security and network topology, after which TrustWave reported the breach had been contained and deemed a discovered backdoor “inert”.
Penetration testers from Ernst & Young subsequently discovered the casino was infected with malware known as “Framnepkg.exe”, which TrustWave claimed to have found and contain. That’s when it hired Mandiant.
“Mandiant’s investigation initially focused on a period of attacker activity between December 6, 2013 and April 27, 2014. The scope of the investigation expanded to include the “previous” data breach that had occurred between March and October, 2013 – the data breach Trustwave supposedly had investigated – after Mandiant determined that Trustwave had failed to identify the entire extent of the breach,” the suit reads.
TrustWave told the Financial Times it had done nothing wrong. “We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”
Participate in CSO and Gigamon's survey on Security Priorities today!
Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.
For full terms and conditions click here.
Start survey NOW!
Read more: The week in security: CSO confidence declining; endpoint security in “sorry state”