Affinity discovered that it had a problem in the fourth quarter of 2013, when law enforcement officials made it aware that the credit card details of various people had been misused. Looking for what all of those people had in common led investigators to Affinity Gaming, and in-house investigators then discovered that malware was allowing credit card information to be stolen from several of its machines.
It was at that point that Affinity hired the Trustwave security company to ‘investigate, diagnose and help remedy’ the data breach. Trustwave then assured Affinity that the data breach had been contained and gave the company recommendations to help prevent similar malware attacks in the future. The original breach had taken place from March to October 2013.
If that had been the end of the story then all would have been well, but it wasn’t. Affinity later discovered (following legal compliance tests by Ernst & Young) that suspicious activity was ongoing, and it had to hire another security company, Mandiant, to investigate the situation again. Mandiant discovered that Trustwave’s work had been ‘woefully inadequate’ and that the claim that the data breach had been ‘contained’ was false. In short, Trustwave had left malware on one of the Affinity servers which allowed more data to be stolen between December 2013 and April 2014.
It is said that the details of more than 300,000 credit cards were stolen in total, and Affinity is now seeking damages from Trustwave of at least $100,000. Trustwave has said that it disputes the allegations, and that it intends to defend itself vigorously.