Affinity Gaming, a Nevada-based firm that operates 11 casinos across the US, is suing security firm Trustwave for failing properly to contain a data breach it was hired to investigate, according to legal documents.
Affinity Gaming vs Trustwave Holdings was filed in December last year.
Affinity hired Trustwave in October 2013 to resolve a security flaw that hackers had exploited to obtain the credit card information of up to 300,000 customers.
Trustwave filed a forensics report claiming to have identified the source of the breach and the malware responsible. However, on finding a second large-scale data breach, Affinity was forced to hire a second security firm, Mandiant, which described the initial investigation as flawed.
The legal action is one of the first examples of a client holding a cyber security firm to account for failing to contain a breach, and could have long-term implications for the security industry.
Affinity claimed in the legal papers that the second breach was completely missed during the initial Trustwave investigation.
"Shortly after Trustwave's engagement ended, and after Trustwave had promised that the data breach had been contained and the suspected backdoor ‘inert', Affinity Gaming learned that its data systems were still compromised," the firm said.
The documents also describe the initial Trustwave investigation as "woefully inadequate".
"In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was 'contained', and when it claimed that the recommendations it was offering would address the data breach," Affinity said.
Furthermore, the papers said that the Mandiant investigation revealed "a long list of Trustwave misrepresentations, omissions and failures".
These are said to include failing to catch two separate malware strains on the Affinity servers, and that Trustwave "wilfully disregarded" evidence that the breach was more widespread than initially thought.
"Had Trustwave performed the investigation and data security measures it represented to have taken, it could have, and should have, identified the causes and extent of the data breach during its engagement, and identified measures that would actually have remedied the breach and prevented the attacker from again accessing Affinity Gaming's systems," the litigation stated.
As a result, Affinity is seeking $100,000 in damages from Trustwave after using $1.2m of its $5m cyber insurance policy on the breach.
Trustwave has denied any wrongdoing. "We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court," the firm said in a statement to V3.
Sean Sullivan, a security expert at F-Secure, explained that cyber security investigations are complex and that forensic clues are "often limited".
"Many in the security industry are developing better monitoring tools (a network 'black box') that will allow better post-breach investigations," he told V3.
"There are going to be numerous learning curves for security companies and their customers in the meantime. I'm sure lawyers will take account of this in the future when drawing up new contracts."
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons