Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Trustwave Sued by Casino Operator Over Breach Investigation

Las Vegas-based casino operator Affinity Gaming has accused Chicago-based IT security firm Trustwave of failing to properly investigate and contain a payment card breach suffered by the company in 2013.

Las Vegas-based casino operator Affinity Gaming has accused Chicago-based IT security firm Trustwave of failing to properly investigate and contain a payment card breach suffered by the company in 2013.

A complaint filed by Affinity Gaming with the district court of Nevada in December alleges that Trustwave misrepresented its ability to perform an adequate investigation, failed to identify the true source of the breach, and falsely assured the casino operator that the breach had been contained.

In December 2013, Affinity Gaming reported suffering a security breach in which malicious hackers penetrated its payment card systems. The incident was investigated by Trustwave, whose employees analyzed the casino operator’s systems for more than two months in an effort to determine the extent of the breach, find its source and contain it.

According to Affinity’s complaint, at the end of its investigation, Trustwave informed the company that the malware was removed from its systems and that the breach was contained.

A few months after Trustwave completed its investigation, Affinity Gaming called in professional services company Ernst & Young to conduct penetration testing. In mid-April, penetration testers identified suspicious activity associated with a piece of malware that Trustwave was supposed to remove as part of its investigation.

The discovery of the malware triggered a new investigation, this time conducted by FireEye-owned forensic specialist Mandiant. In May 2014, when it reported for the second time that its payment processing systems had been infiltrated, Affinity Gaming said it was unclear if the two incidents were related.

However, the recently filed complaint reveals, based on Mandiant’s investigation, that attackers again compromised Affinity Gaming’s network while Trustwave was still conducting its investigation.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

Advertisement. Scroll to continue reading.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

The complaint details several breach indicators that Trustwave allegedly omitted during its investigation, and claims the security firm only examined a small subset of Affinity’s systems. The casino operator says Trustwave’s improper investigation resulted in significant losses for the company and drew scrutiny from gaming and consumer protection regulators.

We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court,” Cas Purdy, VP of Corporate Marketing & Communications at Trustwave, told SecurityWeek.

This is not the first time Trustwave has been targeted in a breach-related lawsuit. The company was also named in lawsuits surrounding the 2012 data breach suffered by the South Carolina Department of Revenue, and the 2013 breach that hit the retailer Target. The lawsuit in connection to the Department of Revenue hack was defeated by the security firm and the banks that sued the company in relation to the Target incident dropped their suit.

*Updated with statement from Trustwave

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.