In one of the first cases of its kind, ever, a cybersecurity firm was sued by its client, a casino operator for it alleged lack of quality in an investigation following a breach of the casino operator’s system.
This case could potentially set a new precedent entirely in the field of cyber law. A Las Vegas-based (where else?) casino operator has sued cybersecurity firm Trustwave for, in essence, allegedly failing to conduct a competent investigation.
A legal complaint was filed by casino operator Affinity Gaming in a Las Vegas federal court against security firm Trustwave in December 2015.
In the aftermath of a network breach that directly resulted in the breach of credit card data, Affinity Gaming hired Trustwave in late 2013 to investigate the incident. A forensics report was turned in by Trustwave in January 2014, noting that Trustwave had identified the source of the data breach. The report also claimed it subdued the malware used for the breach.
A year later, the casino operator was hit by a second breach. This time, it hired a competing cybersecurity firm, Mandiant. A subsequent investigation by the second cybersecurity company stated that the malware wasn’t fully purged.
Indeed, the complaint filed in court stated:
Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate.
Furthermore, the complaint plainly alleges that Trustwave had lied with its purported investigation. The complaint, obtained by ArsTechnica, also claims that Trustwave was aware or recklessly disregarded the notion that it was only examining a small part of the casino operator’s gaming systems infrastructure.
Another conflict in the cybersecurity firms’ reporting comes to the fore when Trustwave points to October as the last semblance of breach activity while Mandiant stated that another breach occurred in December of 2013. December, incidentally, was also the month when Trustwave was investigating the breach.
Mandiant’s report also led Affinity Gaming to claim in its complaint that Trustwave failed to detect several strains of malware infecting network servers. The complaint also notes that the second breach was a direct result of malicious actors who were able to install backdoor software on the casino operator’s virtual private network.
Affinity Gaming was ultimately required to pay for additional assessments from an independent expert(s) after the second breach for banks to reissue new cards to replace those compromised earlier.
Trustwave for its part denied any and all wrongdoing and told the Economic Times:
We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.
Affinity Gaming told the publication that it has used $1.2 million of a $5 million cyber insurance policy for related expenses after the breach. The casino operator Is seeking a minimum of $100,000 in damages from Trustwave.
Featured image from Shutterstock.