United States District Court, D. Nevada
MITCHELL, CIPOLLONE, BEATO & MISSNER LLP JONATHAN L.
MISSNER, ESQ. ROBERT B. GILMORE, ESQ. REID RUBINSTEIN &
BOGATZ I. SCOTT BOGATZ, ESQ. CHARLES M. VLASIC III, ESQ.
Attorneys for Plaintiff Affinity Gaming
Affinity Gaming (sometimes referred to herein as
“Affinity”), by and through the law firms of
Stein, Mitchell, Cipollone, Beato & Missner LLP and Reid
Rubinstein & Bogatz, respectfully sets forth its
Complaint against Defendant, Trustwave Holdings, Inc.
(“Trustwave”), and alleges as follows:
Beginning in October 2013, Trustwave, a firm that holds
itself out to be a premier data security company, repeatedly
assured Affinity Gaming (the owner of several casinos in
Nevada) that Trustwave would investigate, diagnose and help
remedy the data breach Affinity Gaming suffered. Relying on
these assurances, Affinity Gaming hired Trustwave.
the conclusion of its investigation, Trustwave represented to
Affinity Gaming that the data breach was
“contained” and purported to provide
recommendations for Affinity Gaming to implement that would
help fend off future data attacks.
Trustwave's representations were false. After
Trustwave's engagement had concluded, Affinity Gaming
learned that it had suffered an ongoing data breach. This
discovery required Affinity Gaming to retain a second data
security consulting firm, Mandiant.
Mandiant's forthright and thorough investigation
concluded that Trustwave's representations were untrue,
and Trustwave's prior work was woefully inadequate. In
reality, Trustwave lied when it claimed that its so-called
investigation would diagnose and help remedy the data breach,
when it represented that the data breach was
“contained, ” and when it claimed that the
recommendations it was offering would address the data
breach. Trustwave knew (or recklessly disregarded) that it
was going to, and did, examine only a small subset of
Affinity Gaming's data systems, and had failed to
identify the means by which the attacker had breached
Affinity Gaming's data security. Thus, Trustwave could
not in good faith have made the foregoing representations to
Trustwave's misrepresentations and grossly negligent
performance resulted in Affinity Gaming suffering significant
out of pocket losses. Affinity Gaming's ongoing data
security breach also has drawn scrutiny from gaming and
consumer protection regulators.
Trustwave has failed to accept responsibility for its
misconduct and to compensate Affinity Gaming for its
resulting losses. Accordingly, Affinity Gaming brings this
action against Trustwave to recover the damages Trustwave has
Court has subject matter jurisdiction pursuant to 28 U.S.C.
§ 1332(a), because Affinity Gaming and Trustwave are
citizens of different states, and the amount in controversy
exceeds $75, 000.
court has personal jurisdiction over Trustwave, because it
has purposefully availed itself of the benefits of the state,
and because it regularly transacts business within the state,
including specifically with respect to the present dispute by
contracting with Affinity Gaming, a Nevada corporation, and
by making its representations and conducting its services at
Affinity Gaming's business premises within the state.
Venue is proper under 28 U.S.C. § 1391(b)(2) because a
substantial part of the events and omissions giving rise to
the underlying dispute occurred in this jurisdiction.
Affinity Gaming is a corporation organized under the laws of
Nevada, with its principal place of business at 3755
Breakthrough Way, Suite 300, Las Vegas, Nevada, 89135.
Affinity Gaming owns and operates 11 casinos in four states,
including five casinos in Nevada.
Trustwave Holdings, Inc. is a corporation organized under the
laws of Delaware with its principal place of business at 70
W. Madison Street, Suite 1050, Chicago, Illinois 60602.
Trustwave represents itself as a firm that is highly
experienced and capable in the field of data security. For
example, Trustwave's website states:
Trustwave helps businesses fight cybercrime, protect data and
reduce security risk. With cloud and managed security
services, integrated technologies and a team of security
experts, ethical hackers and researchers, we enable
businesses to transform the way they manage their information
security and compliance programs.
Affinity Gaming Initially Learns of a Data Breach.
Over the course of 2012 through 2013, Affinity Gaming made
various changes to its information technology
(“IT”) network security, as part of an overall
ongoing upgrade of its IT network systems in connection with
the company's acquisition of several properties and
contemporaneous separation from a shared services arrangement
with a former affiliate.
Despite Affinity Gaming's efforts at ensuring the
security of its network and data, outside hackers were able
to compromise the company's security.
or about October 24, 2013, Affinity Gaming learned of
information that led it to believe it had suffered a data
Specifically, a small number of Affinity Gaming's
customers, as well as local law enforcement, contacted the
company regarding potential fraudulent credit card activity.
Affinity Gaming's IT personnel responded to these reports
and, based on their preliminary assessment, concluded that
the company's data systems may have been compromised.
Affinity Gaming quickly reported this suspected data breach
to its cyber insurance carrier, ACE, as well as to interested
entities such as card-issuing banks.
recommended that Affinity Gaming retain the services of a
professional forensic data security investigators
(“PFI”), and listed Trustwave as one of its panel
Affinity Gaming Hires Trustwave.
Affinity Gaming quickly contacted Trustwave to inquire
whether Trustwave could help Affinity to identify and remedy
the apparent data breach.
From October 28-31, 2013, Trustwave personnel, including
Chris Hague, Grayson Lenik and Matthew Aronson, had multiple
direct and indirect conversations with Affinity Gaming
personnel (including its Vice President of Insurance and
Benefits and Vice President of Information Technology).
During those conversations, Trustwave personnel represented
that the company had the capabilities to, and would, identify
and help remedy the causes of the data breach, as well as
facilitate Affinity Gaming's implementation of measures
to help prevent further such breaches.
Hiring a firm with the proper data breach response expertise,
such as Trustwave held itself out to be, was of paramount
importance for Affinity Gaming, because, while Affinity takes
seriously its data security obligations, and has implemented
commercially reasonable and appropriate measures to protect
its and its customers' data, Affinity is not an IT
security firm and lacks the level of expertise and know-how
in the technical aspects of data security that a firm like
Trustwave purports to possess.
Thus, with respect to the apparent data breach, Affinity
Gaming was wholly dependent on, and subordinate in terms of
its knowledge, understanding, and capabilities, to Trustwave,
relying on Trustwave to investigate, diagnose, and prescribe
appropriate measures to address, Affinity's apparently
compromised data security.
Moreover, Trustwave knew that it was important to
Affinity's business relationships with its customers and
credit card companies, as well as its relationships with its
governmental regulators, that Affinity swiftly identify and
resolve the data breach problem, so that Affinity could
minimize the risk that it would suffer fines, penalties and
monetary claims as a result of the breach.
Relying on Trustwave's representations, in October 2013,
Affinity Gaming hired Trustwave to investigate and help
remedy the data breach.
Trustwave drafted and presented to Affinity Gaming an
Incident Response Agreement (the “Agreement”),
which the parties Dated: October 31, 2013.
the Agreement, Trustwave agreed to undertake a “PCI
[Payment Card Industry] Forensic Investigation.”
Trustwave represented that “PCI Forensic Investigations
are conducted on behalf of organizations that have a
suspected compromise of their cardholder data environment,
” and that “PCI Forensic Investigations are
designed to identify if, how, what, and for how long
cardholder data has been compromised and to provide
recommendations to increase security.”
the Agreement, Trustwave promised to provide a “PCI
Forensic Investigation [PFI] Report.” That PFI Report
had as its deliverables a description of the techniques and
forensic analysis performed, the “technical findings,
” and “the conclusions of the investigation; has
a compromise occurred; if so, what the evidence shows was the
cause of the compromise; what data is at risk.”
the Agreement, Trustwave represented that its “[w]ork
will be conducted in accordance with an agreement between
Trustwave and the client, ” and that it would use
“[a] rigorous quality assurance process.”
Trustwave expressly warrantied in the Agreement that its
“Services provided under this Agreement shall be
performed with that degree of skill and judgment normally
exercised by recognized professional firms performing
services of the same or substantially similar nature.”
Trustwave Performs a Woefully Inadequate
“Investigation” and Submits a Misleading Report
Trustwave investigators arrived at Affinity's offices on
November 1, 2013. After more than two months meeting with
Affinity personnel, analyzing Affinity's data systems,
and providing a supposed diagnosis and suggested remedial
measures for the data breach, on January 13, 2014, Trustwave
submitted its PFI Report, describing its findings and
Trustwave stated in its PFI Report that “[t]he goal of
the investigation was to determine the extent to which a
breach may have occurred” (Emphasis added.)
its PFI Report, Trustwave defined the “initial scope of
the engagement” as inspection of only 10 servers and
systems and Affinity Gaming's “physical
security” and “network topology.” 33.
Affinity Gaming trusted, and was dependent on,
Trustwave's assessment on what the proper scope of its
engagement should be, given Trustwave's data security
expertise, and in no way limited or restricted
Trustwave's investigation of Affinity Gaming's data
its PFI Report, Trustwave made numerous representations to
Affinity, including, among other things, that:
• “Trustwave has completed 100% of [its]
investigative efforts, ”
• that the data breach “compromise has been
contained, ” and
• that a “backdoor component appears to exist within
the code base, but appears to be inert” (Emphases
Trustwave also stated that it “believe[d] that the
attacker became aware of the security upgrades that were
taking place and took several steps to remove both the
malware and evidence of the attack itself. Almost all
components of the malware were deactivated and/or removed from
the systems on October 16, 2013. This activity ended the
breach.” (Emphasis added.)
the “Incident Dashboard” in the front of its PFI
Report, Trustwave explicitly stated to Affinity Gaming:
“Compromise Status - Contained: Malware removed”
Finally, Trustwave presented Affinity Gaming with a number of
recommendations on how to improve the company's data
security measures. Following the conclusion of
Trustwave's engagement, Affinity Gaming began to
implement Trustwave's recommendations.
Despite Trustwave's Representations, Affinity Gaming
Learns That Its Data Breach Had Not Been Contained, And That
Its Data Systems Remained Unsecure.
However, the truth was something quite different than what
Shortly after Trustwave's engagement ended, and after
Trustwave had promised that the data breach had been
“contained” and the suspected backdoor(s)
“inert, ” Affinity Gaming learned that its data
systems still were compromised.
Affinity Gaming hired Ernst & Young to perform
penetration testing pursuant to new regulations from the
Missouri Gaming Commission. On April 16, 2014, in the course
of performing such a test, Ernst & Young identified
suspicious activity, including ongoing activity from a
malware program named “Framepkg.exe, ” which
Trustwave had found, but apparently had not contained or
sought to remediate, during its investigation in 2013.
Concerned that Trustwave's so-called “forensic
investigation” had not lived up to what Trustwave had
represented, Affinity Gaming was forced once again to conduct
a forensic investigation into its data security, retaining a
second data security firm, Mandiant. Affinity Gaming
contracted with Mandiant on April 19, 2014 to investigative
the newly-discovered suspicious activity.
Mandiant, like Trustwave was supposed to have done before,
undertook an investigation to identify the source of the
potential breach, ensure the breach was contained, and
identify any security deficiencies. On April 23, 2014,
Mandiant identified an ongoing incident affecting Affinity
Gaming's cardholder data environment and initiated its
Mandiant's investigation initially focused on a period of
attacker activity between December 6, 2013 and April 27,
2014. The scope of the investigation expanded to include the
“previous” data breach that had occurred between
March and October, 2013 - the data breach Trustwave
supposedly had investigated - after Mandiant determined that
Trustwave had failed to identify the entire extent of the
April 28, 2014, Mandiant submitted a Preliminary PFI Report
to Affinity Gaming and credit card companies, and submitted
its final PFI Report on July 1, 2014 (the “Mandiant PFI
Mandiant's conclusions were startling to Affinity Gaming.
Mandiant's far more thorough and forthright investigation
correctly diagnosed the true cause of the data breach - a
cause that Trustwave could have and should have identified
and helped remedy originally.
Trustwave had failed to diagnose that the data breach
actually was the result of unidentified outside persons or
organizations who were able to compromise Affinity's data
through Affinity Gaming's Virtual Private Network
(“VPN”),  and that the “backdoor” these
persons/organizations had created - which Trustwave had