Tech

Trustwave sued over failure to stop security breach

In a landmark case, the cybersecurity is being taken to task for how the firm allegedly handled a casino operators's data breach. [Updated]

Written by Charlie Osborne, Contributing Writer Jan. 18, 2016 at 6:09 a.m. PT

[Update 14.50GMT: Trustwave statement]

Affinity Gaming has filed a lawsuit against Trustwave over how the company allegedly handled a security breach which hurt the casino operator's properties.

The lawsuit has been filed against Trustwave in a US District Court in Nevada, the home and headquarters of Affinity. As reported by The Financial Times, Trustwave was hired by the company to investigate and contain a data breach which exposed the data up to 300,000 Affinity customers.

Affinity says that a second cyberattack took place at the time Trustwave was analyzing the data breach, and alleges the security company missed this assault and instead declared the threat contained.

The landmark lawsuit paves the way for fresh avenues of liability when it comes to cybersecurity, cyberattacks and data breaches. In the past, companies affected by a data breach usually would take steps to appease customers -- as well as take the financial hit and loss of reputation.

While third-party cybersecurity specialists are often brought in after a data breach has occurred, there have been no other documented case where this third party would become embroiled in a legal battle in how they handled and contained a security issue.

Security

In documents outlining the lawsuit (.PDF), Affinity said the company "takes seriously its data security obligations" and so finding a company with proper data breach response expertise was of "paramount importance." However, Affinity was less-than-impressed with Trustwave's performance.

The documents claim:

"Shortly after Trustwave's engagement ended, and after Trustwave had promised that the data breach had been "contained" and the suspected backdoor(s) "inert," Affinity Gaming learned that its data systems still were compromised.
Affinity Gaming hired Ernst & Young to perform penetration testing pursuant to new regulations from the Missouri Gaming Commission. On April 16, 2014, in the course of performing such a test, Ernst & Young identified suspicious activity, including ongoing activity from a malware program named "Framepkg.exe," which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013."

A Trustwave spokesperson told ZDNet the firm denies any negligence on their part, and "we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court."

Affinity is seeking $100,000 in damages from Trustwave after using $1.2 million of a $5 million cyberinsurance policy on the breach.