Did hackers outsmart cyber investigators hired to fix a data breach involving customer credit card numbers, or did the investigators do a lousy job?
A visit to the Silver Sevens casino in Las Vegas proved unlucky for gamblers back in 2013. Cyber thieves planted malware on the system and stole credit and debit card info for as many as 300,000 customers of that casino and ten others run by Affinity Gaming.
But after Affinity announced a second breach in 2014, the casino company decided it was not bad luck, but incompetence by the people they hired to fix the problem. And now Affinity has filed a lawsuit against those people, to get their money back, and then some.
Affinity said in its complaint, posted online by Ars Technica, that the company it hired, Trustwave, lied about the breach and did work that was “woefully inadequate.”
A Trustwave spokesperson told Information Security Media Group, “We dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”
This is a groundbreaking case, cybersecurity experts say. “First of its kind. And it will set a very important precedent, legally and for the forensics/investigation practice,” said Patrick C. Miller with Archer Security Group
Red alert
The messages started coming in on October 24, 2013—customers and law enforcement telling Affinity there was a problem. It was a data breach that affected hundreds of thousands of customers in four states.
Affinity had cyber insurance through ACE. Affinity followed ACE’s recommendations to hire professional forensic data security investigators, and chose Trustwave from ACE’s list, the complaint said.
Affinity said Trustwave claimed it did the job, finishing in January 2014.
“At the conclusion of its investigation, Trustwave represented to Affinity Gaming that the data breach was ‘contained’ and purported to provide recommendations for Affinity Gaming to implement that would help fend off future data attacks,” the complaint said.
On the Trustwave report itself, Affinity said, were the words “Compromise Status – Contained: Malware removed.”
Surprise in the system
Affinity said it began to implement those security measures. However, during security testing in April 2014, there was a surprise, a clue that there were still problems in the system. Affinity hired a new company, Mandiant, to investigate.
The new company found a new breach, Affinity said, along with major problems with Trustwave’s work.
“Trustwave had failed to identify the entire extent of the breach,” the complaint said. “In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was ‘contained,’ and when it claimed that the recommendations it was offering would address the data breach.”
Mandiant discovered that the intruders had started their new attack during the time Trustwave was working on the system, according to the complaint.
“While Trustwave had concluded that the last data breach activity occurred in October 2013, Mandiant’s investigation revealed that these persons/organizations again compromised Affinity Gaming’s data in December 2013, while Trustwave’s supposed investigation and remediation efforts were still ongoing,” the document said.
Affinity said it had to make another announcement in 2014 about another breach, and pay more money in assessments and customer claims, and now it wants Trustwave to take care of the damages to its reputation and its finances, totaling more than $100,000.
Far-reaching implications
The results of this case may change how companies, insurance firms and cyber forensic investigators do business, as the number of cyber attacks continues to rise.
“Regardless of who is right or wrong in this case, what is abundantly clear is the high demand for resources in incident management, and ensuring that the right resources are deployed to the right situation,” said Brandon Dunlap with Black and Veatch.
“Since there is little case law and no legislation concerning standards for incident response, the courts are teasing out the merits of the case,” said Patrick Coyle with Chemical Facility Security News.
“There are still a lot of bugs to be worked out in the cybersecurity insurance realm,” he added.
The importance of a word
It is difficult to say if a breach is truly “contained” or “over,” according to some experts.
“They’re never really over,” said Miller. “It’s fluid. Any assessment is a point in time. If the attacker knows you’re on to them, they will switch tactics, too.”
“Stating that a case is ‘over’ is a judgement call, based on what information is currently known about the situation,” said Stacy Bresler with Archer Security Group. “There are plenty of things that could happen to overturn that call that are in no way the fault of the investigator.”
Experts say attackers can be very agile and patient.
“For example, a once-considered-contained data breach could manifest itself into another type of data breach at the same organization,” said Bresler. “A determined hacker could have been saving a zero-day attack [a security flaw that a software maker does not yet know about] just for an occasion to make the organization and its hired security professionals look foolish—just for the fun of it.”
That means some forensics investigators may change the language they use to describe the status of a breach.
“I’d wager that no other company will use the word ‘contained,’ and they will indemnify themselves if the client doesn’t take the required steps to truly contain and monitor,” said Miller.
Malpractice
Dunlap compares this case to malpractice cases in the medical world.
“One doctor, who has guided treatment for cancer, as an example, may order certain tests to affirm that the patient is cancer-free, or at least in remission,” he explained. “Now, should this patient have a resurgence of the cancer, is it because the tests missed something—and treatment was subsequently curtailed, allowing the cancer to spread or regrow–or was the initial treatment ineffective, and the cancer never was under control?”
“Perhaps the specific type of cancer was particularly aggressive, and the odds of success were communicated as being very low. In any case, is the doctor at fault, and if so, to what degree?” he asked.
Doctors can use malpractice insurance to protect themselves. And forensic investigators like Trustwave may have their own version, an “error and omissions” insurance.
“Perhaps it is now up to the service provider to invoke their error and omissions policy claim process,” said Dunlap. “Likely, the provider also maintains a separate professional liability policy which they may fall back upon.”
“What this means for service providers is that they will need to have traditional business insurance policies that cover up
to, and maybe even beyond, the policies of—and expectations of possible damages to—their clients,” he said.
More help from cyber insurance companies
One of the questions in the lawsuit is about the scope of the investigation. Affinity said it trusted the scope Trustwave proposed, and had no idea it might not go far enough.
Scoping is important, wrote Jacob Williams of Rendition Infosec in a blog post.
“During an incident, the client always wants to get back to normal operations in the shortest period of time for the lowest overall cost,” Williams said. “This lawsuit provides an example of the need to clearly communicate the scope required to resolve the incident. Trustwave may have done this, but Affinity asserts they did not.”
The cyber insurance company may be able to help in situations like these, said Coyle.
“Since the cyber insurance provider should have a better understanding of the cybersecurity issues involved—and had a financial stake in the outcome of the investigation—it probably would have been helpful if they had participated in the ‘scope of investigation’ discussions,” he said.
“It would have been nice if Affinity had received recommendations on the scope of the investigation as well, or had at least had the insurance company’s approval of the Trustwave proposed scope,” he said.
Waiting on the outcome
Some say this case is not unexpected.
“All types of consultative, expert-driven business are similar,” said Dunlap. “This is why we board-certify doctors, require licensure of certain types of engineers, and have certification programs for incident handlers. All of this factors into the calculus for determining liability and—worst case—negligence.”
Either way, there may be no way to really “contain” a breach, experts say.
“The only way to really get high assurance—still not 100%—is to completely rebuild the environment. That just isn’t feasible for many organizations,” said Miller.
“Nothing is really contained until you implement the remediation efforts and perform a second evaluation to make sure there’s no further evidence of additional compromise,” he said. “And the remediation has to happen virtually instantly.”
“That is very hard,” he added. “It often means taking the environment offline. Gaming companies won’t want to lose money during the remediation, so that’s a risk they are accepting.”