Hacked: Hacking Finance

Casino Sues Cybersecurity Firm in Landmark Case

Introduction

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


LATEST POSTS

Alleged FBI Hacker Lauri Love Ordered to US Extradition by UK Home Secretary 15th November, 2016

The Largest Breach of 2016: 412 Million FriendFinder Accounts Exposed 14th November, 2016

Breaches

Casino Sues Cybersecurity Firm in Landmark Case

Posted on .

 

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

In one of the first cases of its kind, ever, a cybersecurity firm was sued by its client, a casino operator for it alleged lack of quality in an investigation following a breach of the casino operator’s system.

This case could potentially set a new precedent entirely in the field of cyber law. A Las Vegas-based (where else?) casino operator has sued cybersecurity firm Trustwave for, in essence, allegedly failing to conduct a competent investigation.

A legal complaint was filed by casino operator Affinity Gaming in a Las Vegas federal court against security firm Trustwave in December 2015.

The Background

In the aftermath of a network breach that directly resulted in the breach of credit card data, Affinity Gaming hired Trustwave in late 2013 to investigate the incident. A forensics report was turned in by Trustwave in January 2014, noting that Trustwave had identified the source of the data breach. The report also claimed it subdued the malware used for the breach.

A year later, the casino operator was hit by a second breach. This time, it hired a competing cybersecurity firm, Mandiant. A subsequent investigation by the second cybersecurity company stated that the malware wasn’t fully purged.

Indeed, the complaint filed in court stated:

Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate.

Furthermore, the complaint plainly alleges that Trustwave had lied with its purported investigation. The complaint, obtained by ArsTechnica, also claims that Trustwave was aware or recklessly disregarded the notion that it was only examining a small part of the casino operator’s gaming systems infrastructure.

Another conflict in the cybersecurity firms’ reporting comes to the fore when Trustwave points to October as the last semblance of breach activity while Mandiant stated that another breach occurred in December of 2013. December, incidentally, was also the month when Trustwave was investigating the breach.

Mandiant’s report also led Affinity Gaming to claim in its complaint that Trustwave failed to detect several strains of malware infecting network servers. The complaint also notes that the second breach was a direct result of malicious actors who were able to install backdoor software on the casino operator’s virtual private network.

Affinity Gaming was ultimately required to pay for additional assessments from an independent expert(s) after the second breach for banks to reissue new cards to replace those compromised earlier.

Trustwave for its part denied any and all wrongdoing and told the Economic Times:

We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.

Affinity Gaming told the publication that it has used $1.2 million of a $5 million cyber insurance policy for related expenses after the breach. The casino operator Is seeking a minimum of $100,000 in damages from Trustwave.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

DON'T MISS OUT

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

Comments
  • user

    AUTHOR Lewis Cowles

    Posted on 8:29 pm January 25, 2016.

    This sounds like someone at the casino hired a business to conduct activities that were woefully inadequate, or that the business that carried them out were not given a full picture. In a field that is so new, I think we should be slower to blame the service business, and look closer at the details. Were company A and company B both given the same criteria, the same pay, the same data and access? I Don’t know because details look non-existent

  • View Comments (1) ...
    Navigation
    When hundreds of Ukrainians in the Ivano-Frankivsk region lost power…