Target, security auditor Trustwave are sued over data breach

Wed Mar 26, 2014 1:27pm EDT

The sign outside a Target store is seen in Arvada, Colorado February 14, 2014. REUTERS/Rick Wilking

The sign outside a Target store is seen in Arvada, Colorado February 14, 2014.

Credit: Reuters/Rick Wilking

(Reuters) - Target Corp and Trustwave Holdings Inc, which provides credit card security services, have been sued by two banks for "monumental" losses they say card issuers will face because of the retailer's holiday season data breach.

In a complaint filed on Monday in Chicago federal court, Trustmark National Bank and Green Bank NA accused the defendants of failing to properly secure customer data, enabling the theft of about 40 million payment card records plus 70 million other records, including addresses and phone numbers.

The banks said they lost money from alerting customers to the breach, reimbursing fraudulent charges and reissuing cards. These losses could increase, they said, if criminals ultimately use several million stolen cards as some analysts project.

While the complaint seeks unspecified damages of at least $5 million, New York-based Trustmark and Houston-based Green Bank said losses could top $1 billion for card issuers they hope to represent in a class action, and $18 billion for banks and retailers combined.

Target already faces dozen of lawsuits over the breach. Monday's case may be the first to focus on Trustwave, a privately held Chicago-based company to which the banks said Target had outsourced some data security services.

Molly Snyder, a Target spokeswoman, said the retailer did not discuss pending litigation. Trustwave spokeswoman Abby Ross said that company had a policy of not confirming its customers' identities or discussing pending legal matters.

The data breach occurred from November 27, the big shopping day known as Black Friday, to roughly December 15.

In a Tuesday report issued ahead of a U.S. Senate committee hearing on protecting consumer data from cyber attacks, Senate staffers said Target "missed a number of opportunities" to stop the breach.

According to the lawsuit, Minneapolis-based Target knew as early as 2007 that its systems were vulnerable but resisted making improvements, in part to keep costs down. It ultimately outsourced data security to Trustwave.

Despite advertising its "deep expertise" in payment card industry compliance, however, Trustwave failed to bring Target's computer systems up to industry standards and as late as September 20 found "no vulnerabilities," the complaint said.

"The damage done to the banks and the other class members is monumental," the lawsuit said.

Trustmark and Green Bank seek to hold Target and Trustwave liable for losses under a Minnesota law addressing payment card security, as well as for negligence and violations of other state consumer laws.

Crain's Chicago Business and American Banker had reported the lawsuit earlier.

The case is Trustmark National Bank et al v. Target Corp et al, U.S. District Court, Northern District of Illinois, No. 14-02069.

(Reporting by Jonathan Stempel in New York, Arnab Sen in Bangalore and Jim Finkle in Boston; Editing by Gopakumar Warrier and Lisa Von Ahn)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
AlkalineState wrote:
“Target, security auditor Trustwave are sued over data breach.”

Ya think?

Mar 26, 2014 1:15pm EDT  --  Report as abuse
tatman wrote:
here we have the poster child for consumer shopping greed — they knew what was coming with the breach, ignored every sign and warning, destroyed their customer’s trust and security, failed to report it to their customers and/or authorities so as not to dent their holiday profits, and continued to woo customers in to spend more money KNOWING FULL WELL that their security had been compromised.

i will never spend another penny at a target store — and i hope they pay dearly for their negligence and this breach of trust and ethics that has cost consumers and banks tens of millions of dollars.

target blows.

Mar 26, 2014 2:42pm EDT  --  Report as abuse
lauradeen wrote:
The excellent story by Michael Riley and others for BusinessWeek (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data) makes it crystal clear that Target’s own IT staff made many critical errors in identifying the breach and sealing it.

There’s no doubt that the class action suits that arise from this are likely to have significant business impact on both Target and Trustwave, and likely other affiliated companies as well.

It’s not too soon for shareholders to suspect that this could be the beginning of the end for Target.

Mar 26, 2014 9:19pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.