Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Businesses IT

Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com) 50

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.
This discussion has been archived. No new comments can be posted.

Casino Sues Security Firm For Failing To Contain Malware Infection

Comments Filter:
  • by Anonymous Coward on Sunday January 17, 2016 @12:55PM (#51318053)

    This could read as:

        Company hires accounting firm,

        Company hires Auditing firm who notices accounting firms errors.

        Company hires OTHER accounting firm to fix problems from first accounting firm.... sues 1st accounting firm for breach of contact.

    How is this not business as normal?

    • by Anonymous Coward

      It is the old "on a computer" fallacy. Everything is new again when it is done on a computer. Just look at how many patents are granted for things people have done for years but are new because they are on a computer or all the sky-high IPOs in the dot-com era or today.

    • It's more

      Go to a doctor to cure your back pain.
      Have another doctor examine your foot a few months later.
      Sue the first doc for not finding the wart on your foot when he examined your back.

      • by gstoddart ( 321705 ) on Sunday January 17, 2016 @01:22PM (#51318143) Homepage

        No, no it isn't:

        "Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

        According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

        This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

        So, take your pick: incompetence, laziness, or fraud.

        • Reminder.. (Score:5, Interesting)

          by TechyImmigrant ( 175943 ) on Sunday January 17, 2016 @01:39PM (#51318199) Homepage Journal

          >PCI (Payment Card Industry)-compliant servers

          PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.

          • by rakslice ( 90330 )

            The PCI DSS is a set of basic set of system/network administration goals related to security. It means what it means. It doesn't mean that known vulnerabilities have been patched, or that specific security measures have been taken to secure card data. It does mean that system default passwords have been changed, that users have unique IDs, and that there is some kind of auditing going on.
            It's a fair assessment IMO to say it's a "veneer" that is going to continue to allow giant breaches because it doesn't pr

            • by rakslice ( 90330 )

              about how little security it thinks

              By "it" there I meant the credit card industry.

            • My family has a small business. But I have a day job as a security engineer. I design security circuits and work in cryptographic standards.

              So I got exposed to the PCI-DSS specs when I was implementing the point of sale system for my family's business and many of their requirements ran counter to security. They should have concentrated on more specific details of how computers handle personal details and card details.

      • by ark1 ( 873448 ) on Sunday January 17, 2016 @02:24PM (#51318353)
        If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun. 2. Surgeon identifies and removes some shrapnel but fails to identify it all. 3. Guy show-ups for an annual medical check. 4. Routine tests reveal presence of shrapnel. 5. Guy sues initial Surgeon. If negligence is suspected based on initial scope contract, Casino has all the rights to sue and likely win.
        • by mysidia ( 191772 )

          If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun.

          I'm going to go with... 1. Guy gets sick. Hires doctor to find and fix all infections for a fixed pre-paid contract.

          2. Doctor identifies invasive skin cancer and administers radiation therapy.

          3. Apparent infection dies off.... All the visible anomalies are gone according to all analysis order... doctor pronounces Guy cured.

          4. Guy show-up at Doctor2 a year later for a detailed scan.

          5. Doctor2 identifies lung cancer

    • Re: (Score:2, Funny)

      by Anonymous Coward

      How is this not business as normal?

      Normally, for a casino, they'd hire Guido and Luigi, who would solve problems in another way.

    • by mysidia ( 191772 )

      Company hires accounting firm,

      Malware detection and removal is not like accounting.

      Malware can make itself undetectable and dormant for years, and then popup on command.

      For example: there's no such thing as an antivirus with a 100% detection rate.

      If any security firm is representing that they can make a 100% assurance that all malware is gone, not involving a rebuild or restore of system from backup, Or offline comparison against a gold image, then they are lying, and they deserve to get b

  • by Anonymous Coward

    Sounds like they're just wanting the money they wasted on them back.

  • It's a gamble (Score:5, Insightful)

    by penguinoid ( 724646 ) on Sunday January 17, 2016 @01:04PM (#51318081) Homepage Journal

    Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.

    • Re:It's a gamble (Score:5, Insightful)

      by gstoddart ( 321705 ) on Sunday January 17, 2016 @01:05PM (#51318083) Homepage

      Hey, it's entirely possible to be expensive and incompetent.

      Lousy companies never cease to over-value their services.

    • Re:It's a gamble (Score:5, Interesting)

      by Opportunist ( 166417 ) on Sunday January 17, 2016 @01:22PM (#51318147)

      That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

      This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

      • If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

        This is why SSAE 16 certification doesn't mean a lot to me. Having been through the certification process personally, I've seen firsthand a lot of crap signed off that shouldn't have been. Our "data center" was located in a suite in the office
        • by rtb61 ( 674572 )

          Security, nothing should be more secure than say elevator servicing but the cheapest elevator servicing contractors, go up there wipe over some fresh grease and leave, doing nothing else, good luck. Problem with private anything and lowest tenders is, highest profit means trying to get away with doing nothing and when caught blaming others for it. Trusted companies who do good work with high costs, no problem con artists come in with corrupt bank support, buy them out and turn them into cheating shit, infl

    • by arth1 ( 260657 )

      Hiring someone to do security after the fact is like hiring someone to fix a badly designed house. It's going to cost a fortune, and the design will still be bad.

      At times like that, eat crow, and build a replacement product from the ground up, this time with security as part of the integral design from get-go. Yes, it will be expensive, but less so than re-occurring breaches.

  • Let's see what Trustwave has to say about this. If their lawyers will let them comment. And why not? About time "silence is deafening" becomes a legal deficiency.

  • ... to fix security -- litigation.

    Instead of shrugging our shoulders with the fail of, "Well, that's just the Internet," we need to identify the incompetent and make them pay.

    Businesses are not motivated to give a shit unless there's financial gain or cost avoidance.

    That's the ONLY reason businesses have fire extinguishers, sprinklers, smoke alarms and fire exits.

  • Is it too much to ask for the article, or Slashdot's editors, to get the name of the affected company correct? It says right at the top of the lawsuit that their name is Affinity Gaming, not Affinity Games.

  • Any wagers on how this will turn out?

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson