Casino Sues Cybersecurity Firm
Affinity Gaming has filed a lawsuit against Trustwave. Affinity claims that after Trustwave was hired to investigate and analyze an initial data breach, Trustwave missed a second assault and declared the threat contained (ZDNet, 2016). Per The Hill, Affinity’s lawsuit mirrors the allegations brought by the FTC against businesses.
Hacked added that Affinity Gaming has used $1.2 million of a $5 million cyber insurance policy for related expenses after the breach. The casino operator is seeking a minimum of $100,000 in damages from Trustwave.
Trustwave had said the last breach activity occurred in October 2013. Mandiant’s later PCI forensics report, by contrast, said it happened again in December of that year while Trustwave was investigating. The report also noted that the breach “occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained.'” Trustwave allegedly failed to detect several pieces of malware infecting network servers or that the breach was ultimately the result of people who were able to access Affinity’s virtual private network and install backdoor software.
According to the December 2015 complaint:
Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.
(Courtesy of Ars Technica, 2016)
The outcome of this court case could set a precedence for the future regarding cyber security firms and businesses. The way contracts are written between the security firm and a business will be drastically altered to protect against further lawsuits in the event of secondary breaches. One main question will arise during the court battle and that is “should a security firm be held responsible after a data breach?”
It is a good possibility that these two companies will settle outside of court with the intention to suppress other legal troubles, negativity publicity and a long drawn out process in the court systems.
It appears that this is in the early stages, so a lot can change in the coming months, but this will be something that businesses who have been breached recently and security firms will be keeping a close eye on.
Other High Profile Breaches:
Experian (includes T-Mobile)
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison (follow up)
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.