Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Affinity Gaming v. Trustwave Holdings, Inc.

United States District Court, D. Nevada

December 24, 2015

AFFINITY GAMING, a Nevada corporation, Plaintiff,
TRUSTWAVE HOLDINGS, INC., a Delaware corporation, Defendant.



         Plaintiff, Affinity Gaming (sometimes referred to herein as “Affinity”), by and through the law firms of Stein, Mitchell, Cipollone, Beato & Missner LLP and Reid Rubinstein & Bogatz, respectfully sets forth its Complaint against Defendant, Trustwave Holdings, Inc. (“Trustwave”), and alleges as follows:


         1. Beginning in October 2013, Trustwave, a firm that holds itself out to be a premier data security company, repeatedly assured Affinity Gaming (the owner of several casinos in Nevada) that Trustwave would investigate, diagnose and help remedy the data breach Affinity Gaming suffered. Relying on these assurances, Affinity Gaming hired Trustwave.

         2. At the conclusion of its investigation, Trustwave represented to Affinity Gaming that the data breach was “contained” and purported to provide recommendations for Affinity Gaming to implement that would help fend off future data attacks.

         3. Trustwave's representations were false. After Trustwave's engagement had concluded, Affinity Gaming learned that it had suffered an ongoing data breach. This discovery required Affinity Gaming to retain a second data security consulting firm, Mandiant.

         4. Mandiant's forthright and thorough investigation concluded that Trustwave's representations were untrue, and Trustwave's prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained, ” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming's data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming's data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.

         5. Trustwave's misrepresentations and grossly negligent performance resulted in Affinity Gaming suffering significant out of pocket losses. Affinity Gaming's ongoing data security breach also has drawn scrutiny from gaming and consumer protection regulators.

         6. Trustwave has failed to accept responsibility for its misconduct and to compensate Affinity Gaming for its resulting losses. Accordingly, Affinity Gaming brings this action against Trustwave to recover the damages Trustwave has caused.


         7. This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1332(a), because Affinity Gaming and Trustwave are citizens of different states, and the amount in controversy exceeds $75, 000.

         8. The court has personal jurisdiction over Trustwave, because it has purposefully availed itself of the benefits of the state, and because it regularly transacts business within the state, including specifically with respect to the present dispute by contracting with Affinity Gaming, a Nevada corporation, and by making its representations and conducting its services at Affinity Gaming's business premises within the state.

         9. Venue is proper under 28 U.S.C. § 1391(b)(2) because a substantial part of the events and omissions giving rise to the underlying dispute occurred in this jurisdiction.

         THE PARTIES

         10. Affinity Gaming is a corporation organized under the laws of Nevada, with its principal place of business at 3755 Breakthrough Way, Suite 300, Las Vegas, Nevada, 89135. Affinity Gaming owns and operates 11 casinos in four states, including five casinos in Nevada.

         11. Trustwave Holdings, Inc. is a corporation organized under the laws of Delaware with its principal place of business at 70 W. Madison Street, Suite 1050, Chicago, Illinois 60602. Trustwave represents itself as a firm that is highly experienced and capable in the field of data security. For example, Trustwave's website states:

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, we enable businesses to transform the way they manage their information security and compliance programs.


         A. Affinity Gaming Initially Learns of a Data Breach.

         12. Over the course of 2012 through 2013, Affinity Gaming made various changes to its information technology (“IT”) network security, as part of an overall ongoing upgrade of its IT network systems in connection with the company's acquisition of several properties and contemporaneous separation from a shared services arrangement with a former affiliate.

         13. Despite Affinity Gaming's efforts at ensuring the security of its network and data, outside hackers were able to compromise the company's security.

         14. On or about October 24, 2013, Affinity Gaming learned of information that led it to believe it had suffered a data breach.

         15. Specifically, a small number of Affinity Gaming's customers, as well as local law enforcement, contacted the company regarding potential fraudulent credit card activity. Affinity Gaming's IT personnel responded to these reports and, based on their preliminary assessment, concluded that the company's data systems may have been compromised.

         16. Affinity Gaming quickly reported this suspected data breach to its cyber insurance carrier, ACE, as well as to interested entities such as card-issuing banks.

         17. ACE recommended that Affinity Gaming retain the services of a professional forensic data security investigators (“PFI”), and listed Trustwave as one of its panel of PFIs.

         B. Affinity Gaming Hires Trustwave.

         18. Affinity Gaming quickly contacted Trustwave to inquire whether Trustwave could help Affinity to identify and remedy the apparent data breach.

         19. From October 28-31, 2013, Trustwave personnel, including Chris Hague, Grayson Lenik and Matthew Aronson, had multiple direct and indirect conversations with Affinity Gaming personnel (including its Vice President of Insurance and Benefits and Vice President of Information Technology).

         20. During those conversations, Trustwave personnel represented that the company had the capabilities to, and would, identify and help remedy the causes of the data breach, as well as facilitate Affinity Gaming's implementation of measures to help prevent further such breaches.

         21. Hiring a firm with the proper data breach response expertise, such as Trustwave held itself out to be, was of paramount importance for Affinity Gaming, because, while Affinity takes seriously its data security obligations, and has implemented commercially reasonable and appropriate measures to protect its and its customers' data, Affinity is not an IT security firm and lacks the level of expertise and know-how in the technical aspects of data security that a firm like Trustwave purports to possess.

         22. Thus, with respect to the apparent data breach, Affinity Gaming was wholly dependent on, and subordinate in terms of its knowledge, understanding, and capabilities, to Trustwave, relying on Trustwave to investigate, diagnose, and prescribe appropriate measures to address, Affinity's apparently compromised data security.

         23. Moreover, Trustwave knew that it was important to Affinity's business relationships with its customers and credit card companies, as well as its relationships with its governmental regulators, that Affinity swiftly identify and resolve the data breach problem, so that Affinity could minimize the risk that it would suffer fines, penalties and monetary claims as a result of the breach.

         24. Relying on Trustwave's representations, in October 2013, Affinity Gaming hired Trustwave to investigate and help remedy the data breach.

         25. Trustwave drafted and presented to Affinity Gaming an Incident Response Agreement (the “Agreement”), which the parties Dated: October 31, 2013.

         26. In the Agreement, Trustwave agreed to undertake a “PCI [Payment Card Industry] Forensic Investigation.” Trustwave represented that “PCI Forensic Investigations are conducted on behalf of organizations that have a suspected compromise of their cardholder data environment, ” and that “PCI Forensic Investigations are designed to identify if, how, what, and for how long cardholder data has been compromised and to provide recommendations to increase security.”

         27. In the Agreement, Trustwave promised to provide a “PCI Forensic Investigation [PFI] Report.” That PFI Report had as its deliverables a description of the techniques and forensic analysis performed, the “technical findings, ” and “the conclusions of the investigation; has a compromise occurred; if so, what the evidence shows was the cause of the compromise; what data is at risk.”

         28. In the Agreement, Trustwave represented that its “[w]ork will be conducted in accordance with an agreement between Trustwave and the client, ” and that it would use “[a] rigorous quality assurance process.”

         29. Trustwave expressly warrantied in the Agreement that its “Services provided under this Agreement shall be performed with that degree of skill and judgment normally exercised by recognized professional firms performing services of the same or substantially similar nature.”

         C. Trustwave Performs a Woefully Inadequate “Investigation” and Submits a Misleading Report to Affinity.

         30. Trustwave investigators arrived at Affinity's offices on November 1, 2013. After more than two months meeting with Affinity personnel, analyzing Affinity's data systems, and providing a supposed diagnosis and suggested remedial measures for the data breach, on January 13, 2014, Trustwave submitted its PFI Report, describing its findings and activities.

         31. Trustwave stated in its PFI Report that “[t]he goal of the investigation was to determine the extent to which a breach may have occurred” (Emphasis added.)

         32. In its PFI Report, Trustwave defined the “initial scope of the engagement” as inspection of only 10 servers and systems and Affinity Gaming's “physical security” and “network topology.” 33. Affinity Gaming trusted, and was dependent on, Trustwave's assessment on what the proper scope of its engagement should be, given Trustwave's data security expertise, and in no way limited or restricted Trustwave's investigation of Affinity Gaming's data systems.

         34. In its PFI Report, Trustwave made numerous representations to Affinity, including, among other things, that:

• “Trustwave has completed 100% of [its] investigative efforts, ”
• that the data breach “compromise has been contained, ” and
• that a “backdoor[1] component appears to exist within the code base, but appears to be inert” (Emphases added.)

         35. Trustwave also stated that it “believe[d] that the attacker became aware of the security upgrades that were taking place and took several steps to remove both the malware and evidence of the attack itself. Almost all components of the malware[2] were deactivated and/or removed from the systems on October 16, 2013. This activity ended the breach.” (Emphasis added.)

         36. On the “Incident Dashboard” in the front of its PFI Report, Trustwave explicitly stated to Affinity Gaming: “Compromise Status - Contained: Malware removed”

(Image Omitted)

         37. Finally, Trustwave presented Affinity Gaming with a number of recommendations on how to improve the company's data security measures. Following the conclusion of Trustwave's engagement, Affinity Gaming began to implement Trustwave's recommendations.

         D. Despite Trustwave's Representations, Affinity Gaming Learns That Its Data Breach Had Not Been Contained, And That Its Data Systems Remained Unsecure.

         38. However, the truth was something quite different than what Trustwave represented.

         39. Shortly after Trustwave's engagement ended, and after Trustwave had promised that the data breach had been “contained” and the suspected backdoor(s) “inert, ” Affinity Gaming learned that its data systems still were compromised.

         40. Affinity Gaming hired Ernst & Young to perform penetration testing pursuant to new regulations from the Missouri Gaming Commission. On April 16, 2014, in the course of performing such a test, Ernst & Young identified suspicious activity, including ongoing activity from a malware program named “Framepkg.exe, ” which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013.

         41. Concerned that Trustwave's so-called “forensic investigation” had not lived up to what Trustwave had represented, Affinity Gaming was forced once again to conduct a forensic investigation into its data security, retaining a second data security firm, Mandiant. Affinity Gaming contracted with Mandiant on April 19, 2014 to investigative the newly-discovered suspicious activity.

         42. Mandiant, like Trustwave was supposed to have done before, undertook an investigation to identify the source of the potential breach, ensure the breach was contained, and identify any security deficiencies. On April 23, 2014, Mandiant identified an ongoing incident affecting Affinity Gaming's cardholder data environment and initiated its own PFI.

         43. Mandiant's investigation initially focused on a period of attacker activity between December 6, 2013 and April 27, 2014. The scope of the investigation expanded to include the “previous” data breach that had occurred between March and October, 2013 - the data breach Trustwave supposedly had investigated - after Mandiant determined that Trustwave had failed to identify the entire extent of the breach.

         44. On April 28, 2014, Mandiant submitted a Preliminary PFI Report to Affinity Gaming and credit card companies, and submitted its final PFI Report on July 1, 2014 (the “Mandiant PFI Report”).

         45. Mandiant's conclusions were startling to Affinity Gaming.

         46. Mandiant's far more thorough and forthright investigation correctly diagnosed the true cause of the data breach - a cause that Trustwave could have and should have identified and helped remedy originally.

         47. Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity's data through Affinity Gaming's Virtual Private Network (“VPN”), [3] and that the “backdoor” these persons/organizations had created - which Trustwave had ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.