Casino operator sues Trustwave for failing to spot and stop hackers

Nevada-based Affinity Gaming, which operates five casinos in that state and 11 altogether in the US, is suing infosec outfit Trustwave, claiming that the company did a poor job when it was called in to help with containing a data breach in October 2013.

According to the lawsuit documents reviewed by Ars Technica, Affinity hired Trustwave after they were informed they might have suffered a data breach.

“Hiring a firm with the proper data breach response expertise, such as Trustwave held itself out to be, was of paramount importance for Affinity Gaming, because, while Affinity takes seriously its data security obligations, and has implemented commercially reasonable and appropriate measures to protect its and its customers’ data, Affinity is not an IT security firm and lacks the level of expertise and know-how in the technical aspects of data security that a firm like Trustwave purports to possess,” Affinity explained.

When they finished the investigation, Trustwave presented the company with a report on what happened, which ultimately said that the compromise had been contained, and that the backdoor they found “appears to be inert.”

“Trustwave also stated that it “believe[d] that the attacker became aware of the security upgrades that were taking place and took several steps to remove both the malware and evidence of the attack itself. Almost all components of the malware were deactivated and/or removed from the systems on October 16, 2013. This activity ended the breach,” Affinity claims.

All in all, they say, Trustwave said that the malware had been removed, and they offered recommendations to the company on how to shore up their defenses.

But, shortly after that, the company discovered that its data systems still were compromised, and called in Ernst & Young to perform penetration testing.

The testers found “suspicious activity, including ongoing activity from a malware program named ‘Framepkg.exe,’ which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013.”

So, they hired another security company – Mandiant – in April 2014, and they set to work investigating this and the previous breach investigated by Trustwave.

Mandiant correctly diagnosed the true cause of the data breach, which Trustwave didn’t, and they determined that “the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained.'”

“Mandiant’s investigation revealed a long list of Trustwave misrepresentations, omissions, and failures,” Affinity claims, and lists them in the document.

Affinity is now looking to minimize the monetary damages they incurred because of Trustwave’s poor work, and is asking the US District Court of Nevada to force Trustwave to pay for it.

Trustwave disagrees with the claims and will be disputing them in court.