Casino chain seeks monetary damages in excess of $100,000

Jan 16, 2016 15:36 GMT  ·  By

US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach.

The whole story starts towards the end of October 2013 when Affinity Games was contacted by law enforcement and notified of fraudulent credit card activity on the bank accounts of numerous victims.

All those people had Affinity's gambling service in common, so following this revelation, the casino's staff started an investigation and on October 24, 2013, concluded that it was the victim of a malware intrusion that allowed a third-party to exfiltrate credit card data from some of its computers.

Trustwave was hired to investigate and stop a credit card breach

Affinity hired Trustwave to examine the incident, probe for details and contain the malware threat. In a report submitted at the end of the investigation, on January 13, 2014, Trustwave reassured the casino chain that the incident "has been contained" and that a “backdoor component appears to exist within the code base, but appears to be inert."

Trustwave also said that the malware's author became aware that he was detected, and stopped all activity on October 16, 2013, also removing and deactivating some of the malware's components.

Life went on as usual until new rules in the gaming industry forced Affinity casinos to upgrade their servers and carry out a series of penetration tests to comply with new regulation.

Mandiant was brought in to mop up Trustwave's mess

On April 16, 2014, Affinity hired Ernst & Young to carry out these tests. The company reported back to the casino staff that it identified suspicious activity coming from one of Affinity's servers. That particular server and the application from where the suspicious activity was coming were previously tested and deemed safe in Trustwave's report.

On April 19, 2014, Affinity hired another cyber-security investigator, Mandiant, a FireEye subsidiary, to investigate these new findings in depth.

According to Mandiant's report, the original card breach that occurred between March and October 2013, returned to life without being noticed during Trustwave's investigation, on December 6, 2013, and continued until April 27, 2014, when Mandiant security experts shut it down.

Affinity says that Trustwave failed to remove the malware it discovered, failed to find all pieces of the malware, and also failed to identify evidence in some logs it looked at.

Affinity: Trustwave performed a woefully inadequate investigation

"Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

In its lawsuit, Affinity claims that "Mandiant’s investigation and remediation confirmed that Trustwave’s representations were clearly inaccurate, and its efforts woefully lacking."

Affinity is looking for damages in excess of $100,000 / €92,000.

Below is the lawsuit in full, which contains the full timeline of events (and accusations).