Affinity Gaming has filed a lawsuit in U.S. District Court in Nevada against Chicago-based Trustwave . The Financial Times reported Affinity hired Trustwave to investigate and contain a data breach that exposed the data of as many as 300,000 Affinity customers. While that investigation was going on, a second cyberattack occurred, which Trustwave didn’t catch while stating the threat was contained. Affinity is seeking $100,000 in damages from Trustwave after using $1.2 million of a $5 million cyberinsurance policy on the breach.
A Trustwave spokesperson said, “We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”
Affinity’s lawsuit claims, “Shortly after Trustwave’s engagement ended, and after Trustwave had promised that the data breach had been ‘contained’ and the suspected backdoors ‘inert,’ Affinity Gaming learned that its data systems still were compromised.” In April 2014, Ernst & Young, hired by Affinity to perform penetration testing, identified suspicious activity, including a malware program that Trustwave had found “but apparently had not contained or sought to remediate, during its investigation in 2013,” according to court documents. “In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was ‘contained’ and when it claimed that the recommendations it was offering would address the data breach.”
The lawsuit may be one of the first company challenges to a cybersecurity contractor regarding its management of the impact of being hacked. Cybersecurity attorney Peter Toren, a former prosecutor with the Department of Justice’s Computer Crimes Division, said, “I think it’s going to be difficult to establish that a computer security company was somehow negligent. That’s going to be a question of proof that’s going to prevent a lot of these suits from happening. If they can establish that the security company was negligent, then I don’t see why this wouldn’t become much more common.”