IT security biz Trustwave is being sued by a Las Vegas casino operator for allegedly bungling a hacking investigation. Trustwave denies any wrongdoing.
The outcome of the lawsuit could have staggering consequences for infosec outfits hired to analyze and cleanup computer network intrusions, in terms of potential liabilities and breaches of contract.
In October 2013, Trustwave, based in Chicago, was drafted in by Affinity Gaming to work out how the casino operator was hacked: details on 300,000 or so credit cards used by folks in Affinity's restaurants and hotels were accessed by miscreants who compromised its systems.
According to Affinity, Trustwave poked around its computers, and after some analysis, gave the all-clear – the attack had been "contained," apparently. Allegedly, though, hackers broke into Affinity's systems again while Trustwave was investigating, and this second infiltration was not detected.
Affinity – which runs five casinos in Nevada, and six elsewhere in the US – claimed in its lawsuit paperwork [PDF]:
Hiring a firm with the proper data breach response expertise, such as Trustwave held itself out to be, was of paramount importance for Affinity Gaming, because, while Affinity takes seriously its data security obligations, and has implemented commercially reasonable and appropriate measures to protect its and its customers’ data, Affinity is not an IT security firm and lacks the level of expertise and know-how in the technical aspects of data security that a firm like Trustwave purports to possess.
Trustwave expressly warrantied ... that its “Services provided under this Agreement shall be performed with that degree of skill and judgment normally exercised by recognized professional firms performing services of the same or substantially similar nature.”
Shortly after Trustwave’s engagement ended, and after Trustwave had promised that the data breach had been “contained” and the suspected backdoor(s) “inert,” Affinity Gaming learned that its data systems still were compromised. Affinity Gaming hired Ernst & Young to perform penetration testing pursuant to new regulations from the Missouri Gaming Commission. On April 16, 2014, in the course of performing such a test, Ernst & Young identified suspicious activity, including ongoing activity from a malware program named “Framepkg.exe,” which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013.
Affinity next hired security biz Mandiant, which concluded that "Trustwave’s prior work was woefully inadequate," according to the lawsuit's paperwork. Mandiant is a rival of Trustwave.
"We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court," Trustwave told the Financial Times on Friday. The lawsuit was filed at the end of December in the US district court of Nevada. ®