Slashdot Mirror

← Back to Stories (view on slashdot.org)

Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com)

Posted by samzenpus on from the keeping-it-cool dept.

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.

14 of 50 comments (clear)

  1. So a Normal Business Matter by Anonymous Coward · · Score: 3, Insightful

    This could read as:

        Company hires accounting firm,

        Company hires Auditing firm who notices accounting firms errors.

        Company hires OTHER accounting firm to fix problems from first accounting firm.... sues 1st accounting firm for breach of contact.

    How is this not business as normal?

    1. Re:So a Normal Business Matter by gstoddart · · Score: 4, Interesting

      No, no it isn't:

      "Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

      According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

      This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

      So, take your pick: incompetence, laziness, or fraud.

      --
      Lost at C:>. Found at C.
    2. Re:So a Normal Business Matter by Anonymous Coward · · Score: 2, Funny

      How is this not business as normal?

      Normally, for a casino, they'd hire Guido and Luigi, who would solve problems in another way.

    3. Re:So a Normal Business Matter by ark1 · · Score: 3, Insightful

      If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun. 2. Surgeon identifies and removes some shrapnel but fails to identify it all. 3. Guy show-ups for an annual medical check. 4. Routine tests reveal presence of shrapnel. 5. Guy sues initial Surgeon. If negligence is suspected based on initial scope contract, Casino has all the rights to sue and likely win.

  2. It's a gamble by penguinoid · · Score: 4, Insightful

    Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:It's a gamble by gstoddart · · Score: 5, Insightful

      Hey, it's entirely possible to be expensive and incompetent.

      Lousy companies never cease to over-value their services.

      --
      Lost at C:>. Found at C.
    2. Re:It's a gamble by Opportunist · · Score: 4, Interesting

      That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

      This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:It's a gamble by Anonymous Coward · · Score: 5, Funny

      You've worked with Oracle before I see.

    4. Re:It's a gamble by arth1 · · Score: 2

      Hiring someone to do security after the fact is like hiring someone to fix a badly designed house. It's going to cost a fortune, and the design will still be bad.

      At times like that, eat crow, and build a replacement product from the ground up, this time with security as part of the integral design from get-go. Yes, it will be expensive, but less so than re-occurring breaches.

    5. Re:It's a gamble by ericloewe · · Score: 2

      That's unfair.

      Everyone at Oracle is extremely competent. How else would they manage to so consistently screw people over?

  3. Reminder.. by TechyImmigrant · · Score: 5, Interesting

    >PCI (Payment Card Industry)-compliant servers

    PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Re: YOU created the mess in the first place by Frosty+Piss · · Score: 2

    No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

    --
    If you want news from today, you have to come back tomorrow.
  5. Re: YOU created the mess in the first place by arth1 · · Score: 3, Interesting

    No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

    Yes, that is the second problem that's also the Casino's fault: They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.

    Yes, the security company is at fault for not delivering what they signed up to deliver, but the Casino messed up several times.
    A good king's ruling would be to award the Casino a payback in full, with interest, only to be paid once the casino has fully replaced the broken systems, and shown that they have processes in place to prevent insecure designs from being approved and implemented.

  6. Re:Trustwave and Target by mysidia · · Score: 2

    Yes..... Trustwave was initially being sued over the Target breach as well. Seems this is like Strike 2 for Trustwave.

    I imagine that cases like this coming to the media must be quite damaging to their reputation, and they should want to avoid further occasions and settle it quickly.