In what is being referred to as a landmark case, Affinity Gaming is suing the cybersecurity firm Trustwave for an amount to be proven at trial but which court documents said would "exceed $100,000" for allegedly failing to adequately investigate and remedy a data breach.
The online gambling company claimed Trustwave conducted a “woefully inadequate” investigation then submitted a misleading report to Affinity. The gaming company learned its systems were still compromised despite Trustwave's efforts.
A separate investigation was conducted after Trustwave by another data security firm, Mandiant, which reportedly revealed not only that the breach hadn't been contained but that Affinity's data was compromised during the time that Trustwave's investigation and remediation efforts were still ongoing, according to the documents.
Fred Kost, a security expert at HyTrust, told SCMagazine.com it's possible that breach was contained at the time of Trustwave's report and that other factors out of the security company's control such as Affinity's connected systems, software vulnerabilities, PCI (Payment Card Industry) compliance issues and user error could have contributed to the additional compromises.
Kost said the case highlights the challenges IT firms face when drawing conclusions and giving definitive advice, adding he is surprised that such a lawsuit hasn't been brought sooner given the many high-profile breaches that have occurred.
Anton Chuvakin, research vice president at Gartner, told SCMagazine.com the principle question comes down to whether Trustwave's investigation fell short or Affinity Gaming had unrealistic expectations.
Chuvakin said an investigation into a breach is different than guarding a company's data adding that it seems odd that a security company would promise that a breach is completely contained because it's nearly impossible to fully guarantee. Regardless of which party wins, Chuvakin said the case could influence investigative practices and the language that used in contracts going forward.
In a Tuesday email to SCMagazine.com, a Trustwave spokesperson said the company disputed and disagreed "with the allegations in the lawsuit, and we will defend ourselves vigorously in court.” Affinity Gaming declined to comment.
"This is about reputation and blame deflection, not money," Jeff Hill, channel marketing manager for STEALTHbits Technologies, said in comments emailed to SCMagazine.com. "What better way to distract attention from the undisputed fact that you allowed malware to infect your network in the first place than to sue – breaking new high-profile legal ground in the process – the company you hired to mitigate the damage of the initial breach."