Affinity Gaming Sues Cybersecurity Firm Over Data Breach

Posted on: January 21, 2016, 03:17h. 

Last updated on: January 21, 2016, 03:18h.

Affinity sues Trustwave
Affinity Gaming believes that Trustwave, the firm it hired to deal with a data breach, was “grossly negligent” in it performance, but some believe the cyber company is being made a scapegoat. (Image: nabr.org)

Las Vegas-based Affinity Gaming is suing a cybersecurity company, which it claims failed to deal adequately with a breach to its system, in what may come to be regarded as a landmark case.

The casino operator, formerly Herbst Gaming of Terrible Herbst Oil Company fame, owns off-Strip and stateline casino properties in Nevada, as well as several throughout Colorado, Missouri, and Iowa.

Affinity accuses Chicago-based IT firm Trustwave of making “representations [that] were untrue,” and of carrying out work that was “woefully inadequate” in its investigation of a suspected hack on its payments card system back in 2013.

The case could be a groundbreaker, say legal experts, because there have been very few like it of its kind, and it may establish a level of liability for the cybersecurity industry for failure to combat similar attacks.

Punitive Damages

Affinity claims that two months after the suspected hack on its system, Trustwave said that the breach had been “contained,” but Affinity later suspected that this was not the case and hired data security firm Mandiant to look into it.

“While Trustwave had concluded that the last data breach activity occurred in October 2013, Mandiant’s investigation revealed that these persons/organizations again compromised Affinity Gaming’s data in December 2013, while Trustwave’s supposed investigation and remediation efforts were still ongoing,” states the lawsuit.

Affinity claims that Trustwave’s “grossly negligent performance” resulted in significant financial loss. It also claims the cyber firm’s failure to deal with the breach damaged the casino company’s reputation by making it the focus of investigations by gaming regulators and consumer protection authorities.

The company is seeking at least $99,294 in compensation and $297,883 in punitive damages.

Which, as lawsuits go in America, is a pretty modest ask.

Accusations of Scapegoating

“In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was ‘contained,’ and when it claimed that the recommendations it was offering would address the data breach,” states the lawsuit.

“Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security.” 

Trustwave has said that it “disagrees” with the allegations and will “defend itself vigorously in court.”

Jeff Hill, channel marketing manager for cybersecurity firm STEALTHbits Technologies, was highly critical of the lawsuit, and jumped to defend his industry to SCMagazine’s online site this week.

“This is about reputation and blame deflection, not money,” he said. “What better way to distract attention from the undisputed fact that you allowed malware to infect your network in the first place than to sue (breaking new high-profile legal ground in the process) the company you hired to mitigate the damage of the initial breach.”