Target, Trustwave Sued Over Breach

Experts Analyze Unusual Details of Case Filed by Banks
Target, Trustwave Sued Over Breach

Legal and fraud experts are sizing up a class-action lawsuit filed by banking institutions against Target Corp. as well as Trustwave Holdings Inc., a qualified security assessor allegedly hired by the retailer before its massive point-of-sale network breach last year.

See Also: The State of Organizations' Security Posture as of Q1 2018

In seeking to recoup banks' expenses tied to the breach, the lawsuit, filed March 24 by Trustmark National Bank and Green Bank, claims, among other things, that Trustwave failed to maintain ongoing compliance with the Payment Card Industry Data Security Standard and other industry standards for protecting personally identifiable information and other sensitive cardholder data.

But financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, questions how much liability a third-party QSA really has when it comes to a retail breach.

"By naming Trustwave along with Target, this lawsuit is a real stretch," he says. "Until it plays out, though, it's going to make security vendors everywhere pretty nervous."

Security vendors are mindful of the increasing breach risks their clients face, he adds.

"[They] are acutely aware of the possibility of making a mistake, overtly or by omission, in the work they do for a client, especially those operating in the litigation-happy U.S," Wills says. "The chances of such a mistake happening are actually very high, and they get higher every day as data breach threats become ever-more numerous and complex."

As a result, security vendors typically limit their breach liability in their contracts, carry insurance to address oversights or "mistakes," and are mindful to thoroughly document their actions when performing security assessments, he adds.

This is not the first time a third-party, or Trustwave, has been sued after a breach, says privacy attorney David Navetta, co-founder of the Information Law Group. But it is the first time a QSA has been sued by card issuers, he says.

"Ultimately, I think these cases are hard for plaintiffs like banks, because they don't have direct relationships with vendors like Trustwave," Navetta says. "Without a contract or some other independent legal obligation to link in to, it is difficult for plaintiffs to prevail."

The Allegations

Like other complaints recently filed against Target, including the class-action lawsuit filed earlier this month by Umpqua Bank, Trustmark National Bank and Green Bank claim Target is responsible for all expenses and fraud losses incurred by card-issuing institutions as a result of its 2013 breach (see Suits Against Target Make 'Statement').

The 48-page complaint, filed in the U.S. District Court for the Northern District of Illinois, also alleges Trustwave ultimately failed to ensure Target's POS network and other systems were secure.

"On information and belief, Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems," the complaint alleges. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch."

In a response to Information Security Media Group on March 25, Trustwave states: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters."

A Target spokeswoman tells Information Security Media Group Target can't comment on pending litigation.

Lawsuit Cites Gonzalez Case

The complaint alleges, among other things, that Target failed to disclose its breach in a timely manner and had previously suffered breaches and been warned that its payments systems were vulnerable to attack.

It also brings into question Target's ongoing security practices. The suit alleges a Target connection to the Albert Gonzalez-led mega-breach that impacted an estimated 170 million payment cards back in 2008.

"In 2007, a computer hacker named Albert Gonzalez stole and resold more than 170 million card and ATM numbers from numerous retailers, including Target," the complaint alleges. "Target attempted to conceal the fact that it had been subject to the Gonzalez attack, and only later disclosed that its customers' information had been compromised after a blogger reported that Target had been an unnamed retailer described in an indictment against Gonzalez filed by law enforcement."

Following the Gonzalez scandal, data security experts warned that yet another potential data breach of Target's POS system was likely, and they provided information on how to prevent such a breach, the complaint contends. "Experts also warned that failure to implement preventative measures could result in an even larger data breach."

But the complaint claims Target ignored those warnings, which ultimately resulted in the massive breach it suffered in 2013, which exposed some 40 million debit and credit cards as well as other sensitive information about an additional 70 million of its customers.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.