Casino Sues Trustwave Over Data BreachAffinity Gaming Claims Security Firm Never 'Contained' Breach
A casino operator has sued incident response firm Trustwave, alleging that the security company failed to fully eradicate and "contain" the 2013 data breach and payment card malware outbreak that it was hired to remediate. Security experts say the lawsuit is a reminder to any firm that gets breached to ensure that the incident response team they hire is looking at the full data breach picture.
See Also: The Global State of Online Digital Trust
The complaint against Chicago-based Trustwave was recently filed in U.S. District Court in Nevada by Las Vegas-based Affinity Gaming, which operates 11 casinos across Colorado, Iowa, Missouri and Nevada. Affinity is seeking damages related to its monetary harm, which it says was "considerably in excess" of the more the $100,000 it paid Trustwave. To date, the company has spent $1.2 million of a $5 million cyberinsurance policy to offset breach-related expenses, according to Financial Times, which first reported on the lawsuit.
Affinity says it first learned in October 2013 from customers and local law enforcement agencies that it had apparently suffered a breach, after which it immediately alerted card issuers and its cyberinsurance firm, ACE, which recommended that the casino operator hire a digital forensic investigation firm, of which Trustwave was one of the recommended firms. Affinity says that after discussions with Trustwave, it signed a contract for one of Trustwave's "PCI Forensic Investigations" - referring to the Payment Card Industry's Data Security Standard - which the company marketed as being "designed to identify if, how, what and for how long cardholder data has been compromised and to provide recommendations to increase security."
The related report delivered by Trustwave in November 2013 reported that the breach "compromise has been contained," and that a malware-related "backdoor component appears to exist within the code base, but appears to be inert," according to the complaint. But Affinity now alleges that Trustwave only studied 10 of its servers and systems - as well as the company's "physical security" and "network topology" - to reach those conclusions, and thus could not have accurately reported that the breach had been reliably contained.
After Trustwave finished its project, Affinity Gaming says that an April 2014 penetration test that it commissioned from consultancy Ernst & Young - as required by new Missouri Gaming Commission regulations - found "suspicious activity," including the apparent presence of malware called "Framepkg.exe" on its systems, which was the exact same malware related to the breach that was discovered in 2013.
Take Two: Mandiant Investigates
In April 2014, Affinity Gaming hired a second incident-response firm, FireEye's Mandiant, which "determined that Trustwave had failed to identify the entire extent of the breach." The breach appeared to have persisted from March to October 2013, and then from December 2013 - while Trustwave was conducting its investigation - until April 2014.
Mandiant told Trustwave that the attacker had successfully compromised its virtual private network, which then was used to access the company's network. The attacker used two other types of malware - LsaExt.dll and pwsrv.exe - which had been present on at least one of the systems that Trustwave scanned as part of its investigation, and which the attacker used to exfiltrate valid, internal passwords to the casino operator's network. Mandiant also reported that over a two-day period in March 2013, the attacker had "accessed at least 93 systems [and] deployed cardholder data harvesting malware to at least 76 systems" inside its network.
"Had Trustwave discovered these systems were also compromised, the firm could have and should have expanded the scope of the investigation and helped remediate the breach," according to the complaint.
Trustwave spokesman Cas Purdy tells Information Security Media Group, "We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court."
A Question of Scope
Security experts say this lawsuit could have wide-ranging ramifications for firms involved in incident response, which refers to helping organizations identify, mitigate and protect themselves against security incidents.
"This could change the stakes for those involved in IR," says information security consultant Brian Honan via Twitter. He notes that all incident response teams should ensure that they thoroughly document all related project activities, deliverables and timelines - typically referred to as a statement of work, which is often the basis for a contractual obligation - as well as all related conversations that they have with clients.
The exact scope of the job that Trustwave was hired to do has yet to come to light, notes Jacob Williams, a SANS Institute instructor and information security consultant with consultancy Rendition Infosec, in a Jan. 15 blog post.
But in the complaint, Affinity Gaming says that it did not have the information security expertise required to either detect and eradicate the breach, or to define the exact manner in which that should occur. Accordingly, it relied on "Trustwave's data security expertise" to tell it "what the proper scope of its engagement should be," and claims that Affinity Gaming "in no way limited or restricted Trustwave's investigation of Affinity Gaming's data systems."
"Scoping any engagement is important. During an incident, the client always wants to get back to normal operations in the shortest period of time for the lowest overall cost," Williams says. But what's not yet clear is whether Trustwave correctly communicated the exact scope of what would be required to resolve the breach and any underlying problems. "Trustwave may have done this, but Affinity asserts they did not."
Tell it Straight
In general, some incident-response teams - and especially internal employees - might hesitate when it comes to telling senior management or the board of directors just how much a careful and full breach-remediation plan will cost, Williams says. "Over the years, I've lost some business by telling it to clients straight: 'I know you wish the incident was over - but you are nowhere near done investigating. You can tell the board whatever you want, but you won't get a clean bill of health from me until we've completed a thorough investigation in accordance with industry norms,'" he says. "Many consultants and employees on internal teams are afraid to do this and upset management."
But too often, Williams says, incident response teams leave without having scanned every system inside an enterprise for indicators of compromise tied to the breach they've been hired to investigate. He says that problem is often compounded by organizations failing to maintain an inventory of all devices that connect to the corporate network.
This isn't the first time that Trustwave has been sued in the wake of a security breach. In 2014, for example, the firm was sued over the Target breach, together with the retailer (see Target Breach: Another Suit Names Trustwave). Some of the lawsuits said that because Trustwave was Target's alleged Payment Card Industry qualified security assessor, it bore responsibility for Target subsequently failing to maintain the security of the payment card data that it processed (see Visa's Perez on Why PCI Still Matters). But Trustwave's Purdy notes that those lawsuits were quickly thrown out.
Target wasn't the first company that was apparently PCI-certified by Trustwave to have been breached. Payment processor Heartland, for example, was Trustwave-certified in 2009 when it discovered a data breach that compromised about 130 million credit and debit cards, triggering $150 million in remediation costs. Likewise in 2008, Trustwave reportedly certified payment processing company RBS WorldPay - now known simply as Worldpay - as being compliant with the PCI Data Security Standard just four days before it suffered a data breach that exposed up to 1.1 million Social Security numbers and payroll information for up to 1.5 million individuals.
But as many information security experts have noted, PCI compliance doesn't mean that an organization is hack-proof. At the same time, however, security expert Davi Ottenheimer suggests via Twitter that there's confusion in the marketplace over services that are marketed as PCI-related investigations.