If the case against Trustwave succeeds it could mean that security companies could be sued if they fail to stop serious breaches.
US casino chain Affinity Games is suing Trustwave, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity’s servers, which led to the escalation of a previous card breach.
In October 2013 Affinity Games was notified of fraudulent credit card activity on the bank accounts of numerous victims and it hired Trustwave to sort out what was believed to be malware on its system.
Trustwave was hired to investigate and stop a credit card breach. In January 13, 2014, Trustwave reassured the casino chain that the incident “has been contained” and that a “backdoor component appears to exist within the code base, but was inert.”
Trustwave also said that the malware’s author became aware that he was detected, and stopped all activity on October 16, 2013, also removing and deactivating some of the malware’s components.
In April 2014 the server and the application from where the suspicious activity was coming were previously tested and deemed safe in Trustwave’s report.
On April 19, 2014, Affinity hired another cyber-security investigator, Mandiant, a FireEye subsidiary, to investigate these new findings in depth. It found that the breach thought shut down by Trustwave had continued to be open until April 27, 2014, when Mandiant security experts shut it down.
Affinity says that Trustwave failed to remove the malware it discovered, failed to find all pieces of the malware, and also failed to identify evidence in some logs it looked at.
In its lawsuit, Affinity claims that “Mandiant’s investigation and remediation confirmed that Trustwave’s representations were clearly inaccurate, and its efforts woefully lacking.”
Affinity is looking for damages in excess of $100,000.