Slashdot Mirror

← Back to Stories (view on slashdot.org)

Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com)

Posted by samzenpus on from the keeping-it-cool dept.

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.

6 of 50 comments (clear)

  1. It's a gamble by penguinoid · · Score: 4, Insightful

    Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:It's a gamble by gstoddart · · Score: 5, Insightful

      Hey, it's entirely possible to be expensive and incompetent.

      Lousy companies never cease to over-value their services.

      --
      Lost at C:>. Found at C.
    2. Re:It's a gamble by Opportunist · · Score: 4, Interesting

      That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

      This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:It's a gamble by Anonymous Coward · · Score: 5, Funny

      You've worked with Oracle before I see.

  2. Re:So a Normal Business Matter by gstoddart · · Score: 4, Interesting

    No, no it isn't:

    "Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

    According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

    This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

    So, take your pick: incompetence, laziness, or fraud.

    --
    Lost at C:>. Found at C.
  3. Reminder.. by TechyImmigrant · · Score: 5, Interesting

    >PCI (Payment Card Industry)-compliant servers

    PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.