Target Credit Card Breach: Banks Sue Retailer and Security Firm
Target is receiving more flack for the December security breach as two banks filed a lawsuit against the nation's No. 3 retailer for not properly protecting customer data.
Cyberthieves made off with the personal records of 110 million Americans late last year, including 40 million credit cards, making it the largest theft or retail data in history.
The lawsuit filed Monday by Trustmark National Bank and Green Bank NA in Chicago federal court is also leveled at Trustwave Holdings Inc, a credit card security firm that is being accused of outsourcing services and being negligent.
"The damage done to the banks and the other class members is monumental," the lawsuit said.
"In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations," Trustwave CEO Robert McCullen wrote in a letter to customers and business partners Saturday.
"Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target.
"Our customers and business partners can continue to expect the quality and dedicated service Trustwave has provided them for almost 20 years."
Efforts to reprimand Target for allowing such a debacle to happen have been ramped up in recent weeks. A Bloomberg Businessweek report in mid-March revealed Target was indeed warned about the breach but failed to act. The retailer's security team in Bangalore noticed suspicious activity at the end of November after the busy Black Friday shopping weekend and forwarded their concerns.
"The best technology in the world is useless unless there's good management," Senator Richard Blumenthal, a Democrat from Connecticut, said at a Senate hearing Wednesday.
"And here, to be quite blunt, there were multiple warnings from the company's anti-intrusion software; they were missed by management."
"We know this has shaken their confidence, and we intend to earn it back," Target CFO John J. Mulligan said at the hearing. "Like you, we are asking hard questions about whether we could have taken different actions before the breach was discovered that would have resulted in different outcomes."
"Our investigation of the matter is ongoing and it is possible that we will identify additional information that was accessed or stolen, which could materially worsen the losses and reputational damage we have experienced," Target said in its 10-K report filed with the Securities and Exchange Commission.
The data breach at Target has raised a number of alarms within the U.S. government, especially concerning the handling of information vital to the public in light of such a breach. Many in the government feel that Target was not transparent enough, and that big firms need to recognize cybercrime as a legitimate threat and have procedures in place to properly inform the public.
"Businesses should be required to provide prompt notice to consumers in the wake of a breach. American consumers should know when they are at risk of identify theft or other harms because of a data security breach," Acting Assistant Attorney General Mythili Raman told the Senate Judiciary Committee hearing last month.