Trustwave sued by casino company for failure to contain security breach

Affinity Gaming says Trustwave lied about containing security threat and is seeking $100,000 in damages

US casino chain Affinity Gaming is suing security firm Trustwave, accusing the firm of declaring that a security threat had been contained when it hadn't.

Trustwave had been hired by the company in 2013 when it suffered a breach that exposed the data of up to 300,000 Affinity customers. Its job was to investigate and contain the data breach.

However, Affinity Gaming claims that a second cyber-attack took place at the time Trustwave was still looking into the first data breach - and that the security firm missed the attack and even said that the threat had been contained. The casino said that this wasn't the case, and that after Ernst & Young had performed penetration testing, it identified suspicious activity including ongoing activity from a malware program called "Framepkg.exe", which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013.

The lawsuit has been filed against Trustwave in a US District Court in Nevada, and in it, Affinity Gaming claims that it has suffered financial losses as well as scrutiny from gaming and consumer regulators.

Affinity said the company "takes seriously its data security obligations" and therefore it said it was of "paramount importance" to find a company with the right level of expertise.

However, it said that Trustwave performed a "woefully inadequate ‘investigation'" and submitted a misleading report to Affinity.

It said that after Trustwave's engagement had concluded, and the company learned that it had suffered an "ongoing data breach", it had to retain a second data security consulting firm, Mandiant.

Affinity Gaming is seeking $100,000 in damages from Trustwave after using $1.2m of a $5m cyber-insurance policy on the breach.

Trustwave has maintained that it has not been negligent and would seek to defend itself in court.

The case - whichever way it goes - will be a landmark in the cyber security space, as never before has a security company been held up as being negligent in their handling of a data breach affecting one of its clients.