Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Trustwave Sued by Casino Operator Over Breach Investigation

Las Vegas-based casino operator Affinity Gaming has accused Chicago-based IT security firm Trustwave of failing to properly investigate and contain a payment card breach suffered by the company in 2013.

Las Vegas-based casino operator Affinity Gaming has accused Chicago-based IT security firm Trustwave of failing to properly investigate and contain a payment card breach suffered by the company in 2013.

A complaint filed by Affinity Gaming with the district court of Nevada in December alleges that Trustwave misrepresented its ability to perform an adequate investigation, failed to identify the true source of the breach, and falsely assured the casino operator that the breach had been contained.

In December 2013, Affinity Gaming reported suffering a security breach in which malicious hackers penetrated its payment card systems. The incident was investigated by Trustwave, whose employees analyzed the casino operator’s systems for more than two months in an effort to determine the extent of the breach, find its source and contain it.

According to Affinity’s complaint, at the end of its investigation, Trustwave informed the company that the malware was removed from its systems and that the breach was contained.

A few months after Trustwave completed its investigation, Affinity Gaming called in professional services company Ernst & Young to conduct penetration testing. In mid-April, penetration testers identified suspicious activity associated with a piece of malware that Trustwave was supposed to remove as part of its investigation.

The discovery of the malware triggered a new investigation, this time conducted by FireEye-owned forensic specialist Mandiant. In May 2014, when it reported for the second time that its payment processing systems had been infiltrated, Affinity Gaming said it was unclear if the two incidents were related.

However, the recently filed complaint reveals, based on Mandiant’s investigation, that attackers again compromised Affinity Gaming’s network while Trustwave was still conducting its investigation.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

The complaint details several breach indicators that Trustwave allegedly omitted during its investigation, and claims the security firm only examined a small subset of Affinity’s systems. The casino operator says Trustwave’s improper investigation resulted in significant losses for the company and drew scrutiny from gaming and consumer protection regulators.

We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court,” Cas Purdy, VP of Corporate Marketing & Communications at Trustwave, told SecurityWeek.

This is not the first time Trustwave has been targeted in a breach-related lawsuit. The company was also named in lawsuits surrounding the 2012 data breach suffered by the South Carolina Department of Revenue, and the 2013 breach that hit the retailer Target. The lawsuit in connection to the Department of Revenue hack was defeated by the security firm and the banks that sued the company in relation to the Target incident dropped their suit.

*Updated with statement from Trustwave

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.