In what is being described as a landmark case, Nevada-based casino operator Affinity Gaming is suing cybersecurity firm Trustwave for inadequately investigating and containing a 2014 data breach. The lawsuit not only marks the first time a security firm is sued over post-breach remediation efforts—it also highlights the complexities around managing cyber risk for high risk organizations in today's threat landscape.
Infosec compromises involving casinos have been increasingly making headlines: The Venetian, Hard Rock, and Sands are among the more recent notables. We've covered data breaches involving casinos previously, but the Affinity Gaming incident and Trustwave fallout poses some interesting questions around post-breach liability. For example, if data breaches are now considered a matter of when, not if—where does the burden of responsibility fall when they occur?
Affinity Gaming is a Paradise, Nevada-based casino operator with 11 gambling facilities across the United States. In December 2013, the company announced that its payment processing systems had been compromised, impacting around 300,000 customers. It then hired Chicago-based cybersecurity firm Trustwave to investigate and remediate the breach. Months later, Ernst & Young—followed soon thereafter by FireEye-owned Mandiant—discovered a second breach previously undetected by Trustwave. Affinity Gaming asserts that Trustwave's investigation was “woefully inadequate” and that it submitted a misleading report based on faulty conclusions. The following is an excerpt from Affinity Gaming's complaint:
“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible...”
Unsurprisingly, Trustwave has disputed any claims of wrongdoing on its part and says it will fight Affinity's claims tooth and nail in court.
Digital Resilience For High Risk Firms
Of course, high value targets like casinos and banks have always topped the list in terms of heistworthiness. Gambling institutions are therefore keen on the inevitability of high-stakes criminal activity occurring in their premises, and most if not all have various risk controls in place to minimize financial losses in the face of such adversities. These include lucrative insurance policies to cover losses stemming from robbery and theft and can even cover more unconventional scenarios. For example, in Macau—where the gambling industry is 7 times larger than Las Vegas'—policies that cover the deployment of crisis responders to handle kidnappings of severely indebted or wealthy/celebrity guests are common. These policies also shield casinos and hotels from financial losses arising from victims and family members' lawsuits. In other words, casino insurance policies are designed to allow gambling institutions to operate resiliently in high risk environments, in any given situation.
In this new age of mass digitization, however, the concept of resiliency is just beginning to translate over to the digital realm. Cyber insurance is still in its infancy and firms are just coming to terms with the reality of the inevitable data breach. So when high cost data breaches occur—as in the case of Affinity Gaming—lawsuits will ensue to defray said costs.
UpGuard for Digital Resilience
At Gartner's Security & Risk Management Summit last year, Peter Firstbrook, research director at Gartner, describes digital resilience as being "about absorbing the punches and bouncing back from the big things while accepting certain risks for the achievement of success.” To survive in today's world of continuous and catastrophic threats, IT security must be approached from a risk-based perspective. This includes acquiring the proper cyber risk insurance coverage and—perhaps more importantly—equipping the organization with the proper mechanisms for quantifying security risk as an initial step.
UpGuard's digital resilience platform is the only solution on the market for accurately and comprehensively assessing a firm's security posture and fitness on an ongoing basis. Our CSR–or Cyber Security Rating–consists of a composite score representing the collective vulnerability of every server, network device, and cloud service to the risk of breaches, akin to a credit score for IT security. UpGuard not only detects and alerts you of vulnerabilities and security flaws that could lead to data breaches–it provides the requisite metrics for measuring risk in the context of cyber insurance coverage. And unlike other offerings, our platform quantifies cybersecurity risk based on both the state of your internal systems as well as external data sources.
Ready to dive in? Start with a guided UpGuard demo.
All the information needed to perform a CSR assessment is bundled into the UpGuard platform. Learn more about CSR.
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.