In a case that could ring alarm bells for cyber-security firms, Las Vegas casino company Affinity Gaming is suing security firm Trustwave for over £280,000, alleging that Trustwave carried out a “woefully inadequate” data breach investigation, shortly after which Affinity was breached again.
In a complaint lodged last month with the Nevada district court, Affinity said it turned to Trustwave after a suspected cyber-attack on its payment card systems in October 2013. After a two-month probe, Trustwave said the breach was “contained”, but Affinity claims its investigation and advice was “inaccurate”, “woefully lacking” and “grossly negligent”.
Three months after Trustwave finished work in January 2014, an Ernst & Young (EY) penetration test found malware on the casino company's systems. Affinity called in FireEye-owned Mandiant whose “startling conclusion” was that it had suffered further hacks, some of which took place while Trustwave was still inside Affinity investigating.
In its claim, Affinity says Trustwave's “grossly negligent performance” resulted in it suffering significant financial losses and coming under the scrutiny of US gaming and consumer protection regulators. It is suing Trustwave for over £70,000 in compensation, and more than £210,000 in additional punitive damages.
The casino firm admits Trustwave defined the initial scope of the engagement as “inspection of only 10 servers and systems and Affinity Gaming's physical security and network topology” – but says it was dependent on “Trustwave's assessment on what the proper scope of its engagement should be”.
Affinity says it was told the data breach had been “contained”, the malware “removed”, and a backdoor into its systems “appears to be inert”.
But after EY raised the alarm, Affinity says Mandiant's “far more thorough” investigation found attackers active in its network between December 2013 and April 2014. Some data was stolen “while Trustwave's supposed investigation and remediation efforts were still ongoing”.
Mandiant also discovered that in March 2013, hackers accessed at least 93 Affinity systems and deployed cardholder harvesting malware on at least 76 systems.
Affinity accuses Trustwave of failing to find two malware programs (LsaExt.dll and Pwsrv.exe) on one of the servers it analysed.
It alleges: “Mandiant's investigation and remediation confirmed that Trustwave's representations were clearly inaccurate, and its efforts woefully lacking.
“Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming's data systems, and failed to identify the means by which the attacker had breached Affinity Gaming's data security.”
An official at Chicago-based Trustwave told SCMagazineUK.com via email: "We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court."
Commenting on the implications of the case, UK cyber-security expert Amar Singh said the case highlights the impossibility of security firms giving cast-iron guarantees that clients will not be breached again.
Singh, who is chair of ISACA's UK Security Advisory Group and CEO of the Cyber Management Alliance and Give01Day.com, told SC: “If you are expecting any company or product to make you 100 percent safe from breaches, you are living on another planet.”
Jonathan Sander, VP of product strategy at Lieberman Software, has a similar view: “Affinity's claim is that Trustwave were ‘grossly negligent' – a legal term that simply means they didn't do as good a job as could have been done. The proof Affinity holds up is that the next people they brought in did better. An interesting question in my mind is what may happen when Affinity is breached again.
“The state of the world is such that breaches are happening all the time. Will that mean particularly litigious companies chasing the last cyber-security firm they had in every time there's a new malware outbreak?”
Sander added: “Lawsuits like Affinity vs Trustwave are a sign of maturity in the business of cyber-security. When many expert-driven industries are young, you never see lawsuits like this because the people who need experts could never hope to understand what grounds on which they would sue that expert.”
He advised: “The best way to protect yourself as a cyber-security firm investigating breaches is to do your best work, document it well, and make sure you had a very clear contract. If Trustwave made it clear they would do their best and could not prevent other outcroppings of malware, then this whole case will be dismissed easily. If however Trustwave did not word the contract well or it emerges that they made promises in writing that far exceeded that contract, then they could find themselves in trouble.”
Singh pointed out that clients are often unclear about their needs and try to avoid the cost of a thorough breach investigation.
“A deep and intensive assessment is almost like giving someone an open chequebook,” he said. “I've been on the side of a service provider and am a practising interim CISO – on several occasions clients are not sure what they want out of a security assessment and the service firm is left wondering and deciding on the scope. Many organisations are falling short because they are not clearly defining their requirements and scope.”
Singh advised: “How can you carry out an effective assessment? A bit controversial but start by asking yourself how you would destroy your business? Think about the business processes, the systems that your business depends on. In addition, consider a threat intelligence-based assessment – in simple terms you need to know which criminals are after your business and what methods of compromise they are using to attack similar companies.”