Affinity Gaming, a US casino operator, has filed a lawsuit against cyber security provider Trustwave for allegedly failing to contain their data breach. In the lawsuit, the casino operator claims “Trustwave lied when it claimed its so-called investigation would diagnose and help remedy the data breach.” The data breach in question occurred in 2013 when Affinity Gaming was contacted by law enforcement officials about credit card fraud linked to casino patrons. A subsequent investigation confirmed unauthorized access to the company’s credit and debit card systems in its Nevada, Colorado, Missouri and Iowa casinos. The company encouraged “individuals who visited its gaming facilities between March 14th and October 16th of 2013 to take steps to protect their identities and financial information.” 

According to the court documents, the casino operator hired Trustwave to contain and neutralize the data breach: “Shortly after Trustwave’s engagement ended, and after Trustwave had promised that the data breach had been “contained” and the suspected backdoor(s) “inert,” Affinity Gaming learned that its data systems still were compromised.” Additionally, the casino operator hired a second cyber security provider to audit its systems. In the course of this audit, this second cyber security provider discovered ongoing malicious activity in the casino operator’s credit and debit card systems, including a backdoor which allowed cybercriminals to bypass normal security authentication and malware which the company claims was left in its system since the first breach. 

In a statement to ZDNet, Trustwave denied the purported negligence and added, "we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court." Affinity Gaming is seeking at least $100,000 in damages in addition to $1.2 million it has already received from a cyber security insurance policy. As ZDNet reports, the lawsuit “paves the way for fresh avenues of liability when it comes to cybersecurity.” Perhaps it will change the way companies which suffer a data breach recover their financial losses.