Casino Files Lawsuit Against Cybersecurity Firm for Inability to Prevent Hackers

A cybersecurity firm, Trustwave, is facing legal action from Affinity Gaming, a casino operator based in Las Vegas. The lawsuit alleges that Trustwave conducted an investigation deemed “woefully inadequate” in response to a network breach that exposed the casino’s systems. The action highlights growing concerns regarding the effectiveness of cybersecurity firms in protecting client data and responding to breaches.

 

Affinity Gaming, which operates several casinos across Nevada and the U.S., claims that Trustwave’s failure to adequately address the breach directly contributed to the theft of credit card information. This negligence allegedly allowed cybercriminals to maintain access to sensitive data during the investigation. Given the nature of the breach and the involvement of sensitive customer data, this lawsuit marks a significant challenge for the field of cybersecurity consulting.

 

The lawsuit, filed in the U.S. District Court of Nevada, emerges as one of the first instances where a client has contested the quality of a cybersecurity firm’s investigation after a hacking incident. Affinity Gaming is seeking at least $100,000 in damages, asserting that Trustwave misrepresented its capabilities and failed to provide adequate remediation following the incident.

 

 

Affinity Gaming engaged Trustwave in late 2013 to investigate system intrusions that had allowed attackers to access customer credit card data. Reports indicated that the personal information of over 300,000 credit cardholders was compromised during this incident. Trustwave’s report in January 2014 concluded that the source of the breach had been identified and the malware contained. However, Affinity claims to have learned more than a year later from another security firm, Mandiant, that the malware had not been completely eradicated, leading to another breach.

 

Moreover, Affinity’s lawsuit outlines that the casino operator relied heavily on Trustwave’s expertise due to its lack of internal cybersecurity capabilities. The court filings assert that Affinity believed Trustwave’s reassurances regarding the containment of the breach and the adequacy of its remediation efforts. These claims, according to Affinity, were later proven false when Mandiant’s findings revealed significant failings in Trustwave’s investigative methods and recommendations.

 

Trustwave has denied any allegations of misconduct, contending that it will vigorously defend itself in court against the claims levelled by Affinity. The outcome of this case may set a precedent on the accountability of cybersecurity firms in breach response scenarios and could influence future contractual relationships between companies and their cybersecurity service providers. This case highlights the critical importance of effective breach management and raises questions regarding the standards of care expected from cybersecurity experts in safeguarding sensitive customer data.