Slashdot Mirror

← Back to Stories (view on slashdot.org)

Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com)

Posted by samzenpus on from the keeping-it-cool dept.

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.

4 of 50 comments (clear)

  1. Re:So a Normal Business Matter by gstoddart · · Score: 4, Interesting

    No, no it isn't:

    "Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

    According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

    This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

    So, take your pick: incompetence, laziness, or fraud.

    --
    Lost at C:>. Found at C.
  2. Re:It's a gamble by Opportunist · · Score: 4, Interesting

    That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

    This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Reminder.. by TechyImmigrant · · Score: 5, Interesting

    >PCI (Payment Card Industry)-compliant servers

    PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Re: YOU created the mess in the first place by arth1 · · Score: 3, Interesting

    No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

    Yes, that is the second problem that's also the Casino's fault: They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.

    Yes, the security company is at fault for not delivering what they signed up to deliver, but the Casino messed up several times.
    A good king's ruling would be to award the Casino a payback in full, with interest, only to be paid once the casino has fully replaced the broken systems, and shown that they have processes in place to prevent insecure designs from being approved and implemented.