Casino sues security firm for investigation that left hackers on their network

Security firm Trustwave is facing a law suit filed by a Las Vegas-based casino operator for conducting an alleged “woefully inadequate” investigation, missing key details that allowed thieves credit card stealing malware to remain on the casino’s hotel system for over two-months after the firm declared their systems clean.

Affinity Gaming, a operator of 5 casinos in Vegas and 6 others scattered throughout different states, filed a legal complaint stating they hired Trustwave in October 2013 to investigate and control a network breach that allowed customers’ credit card information to be stolen. In mid January 2014, Trustwave submitted a report required under payment card industry security rules on all merchants who accept major credit card providers. In their PCI forensics report, Trustwave said they had successfully identified the source of the data breach and had contained the malware responsible for it.

Come again nearly a year later and Affinity Gaming was hit by a second credit card breach, this time hiring a competing security firm Mandiant, who discovered Trustwave engineers never fully cleaned up and removed the malware from the casino’s servers.

“Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was ‘contained,’ and when it claimed that the recommendations it was offering would address the data breach,” a December 2015 complaint read. “Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.”

The lawsuit filed against Trustwave in the US District Court in Nevada is one of the first known cases of its kind, where a client challenges the quality of an investigation completed by a cyber-security firm.

Trustwave officials have not taken lightly to accusations, stating they have done nothing wrong. “We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court,” an official told the Financial Times who reported on the lawsuit early Friday.

Trustwave’s investigation concluded that the last breach had occurred in October of 2013. However a more thorough investigation by Mandiant concluded that another breach occurred in December of last year during Trustwave’s active investigation. The security firm’s report added a rather unsettling note, stating the breach “occurred on a continuous basis both before and after Trustwave claimed that the data breach had been ‘contained.’” According to reports, Trustwave was unable to identify and clean up several piece of malware infecting the server which ultimately led to hackers maintaining a backdoor into Affinity’s services.

“Mandiant’s report also concluded that the various recommendations Trustwave had presented to improve Affinity Gaming’s data security were pointless,” the complaint claimed. “None addressed the source of the data breach, and none would have prevented the attacker from again accessing Affinity Gaming’s data systems (for instance, through the backdoors that Trustwave failed to find and close).”

This recent incident highlights the inside of the confidential world of security incident response and the type of investigation that breached companies undergo after being struck by a breach. As the result of Trustwave’s actions, Affinity was required to obtain not only a second PCI forensics report but had to pay additional fee’s so banks could reissue stolen credit cards.