Las Vegas-based casino operator Affinity Gaming has accused Chicago-based IT security firm Trustwave of failing to properly investigate and contain a payment card breach suffered by the company in 2013.
A complaint filed by Affinity Gaming with the district court of Nevada in December alleges that Trustwave misrepresented its ability to perform an adequate investigation, failed to identify the true source of the breach, and falsely assured the casino operator that the breach had been contained.
In December 2013, Affinity Gaming reported suffering a security breach in which malicious hackers penetrated its payment card systems. The incident was investigated by Trustwave, whose employees analyzed the casino operator’s systems for more than two months in an effort to determine the extent of the breach, find its source and contain it.
According to Affinity’s complaint, at the end of its investigation, Trustwave informed the company that the malware was removed from its systems and that the breach was contained.
A few months after Trustwave completed its investigation, Affinity Gaming called in professional services company Ernst & Young to conduct penetration testing. In mid-April, penetration testers identified suspicious activity associated with a piece of malware that Trustwave was supposed to remove as part of its investigation.
The discovery of the malware triggered a new investigation, this time conducted by FireEye-owned forensic specialist Mandiant. In May 2014, when it reported for the second time that its payment processing systems had been infiltrated, Affinity Gaming said it was unclear if the two incidents were related.
However, the recently filed complaint reveals, based on Mandiant’s investigation, that attackers again compromised Affinity Gaming’s network while Trustwave was still conducting its investigation.
“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.
“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.
The complaint details several breach indicators that Trustwave allegedly omitted during its investigation, and claims the security firm only examined a small subset of Affinity’s systems. The casino operator says Trustwave’s improper investigation resulted in significant losses for the company and drew scrutiny from gaming and consumer protection regulators.
“We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court,” Cas Purdy, VP of Corporate Marketing & Communications at Trustwave, told SecurityWeek.
This is not the first time Trustwave has been targeted in a breach-related lawsuit. The company was also named in lawsuits surrounding the 2012 data breach suffered by the South Carolina Department of Revenue, and the 2013 breach that hit the retailer Target. The lawsuit in connection to the Department of Revenue hack was defeated by the security firm and the banks that sued the company in relation to the Target incident dropped their suit.
*Updated with statement from Trustwave