Banks impacted by the data breach of Target last year have come together to file a class-action lawsuit against the US retailer. A court filing also names security firm Trustwave as a co-defendant, saying that the firm “failed to live up to its promises or to meet industry standards.”
The breach, which resulted in the theft of at least 40 million customers’ credit card details, as well as 70 million other personal records, arose after an attack at HVAC contractor Fazio Mechanical Services Inc provided a bridge into Target’s own systems.
The plaintiffs in the case – Trustmark National Bank of New York and Green Bank of Houston – claim that the retailer and security company failed to prevent the theft of data.
The lawsuit, which is not the first filed against Target, shows the increasing pressures and potential costs that are increasingly being associated with breaches, which themselves are on the rise.
For their part, the banks are concerned with the costs that they have borne in this case – it is estimated that the cost of issuing new cards to customers that have potentially been affected stands at around $172 million. The plaintiffs also cite future costs, including absorption of fraudulent charges made on stolen cards, lost profits, missed business opportunities and damage to the business as a whole, the total of which could possibly rise to as much as $1 billion.
Trustmark and Green bank have included Trustwave in their lawsuit because they believe that vulnerabilities in Target’s systems remained “either undetected or ignored” in various audits up to September of last year.
Furthermore, the banks claim that the retailer stored “credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network.” The lawsuit also claims that the breach remained undetected for a period of three weeks, even though Trustwave “provided round-the-clock monitoring services to Target.”
Additional claims levied against Target include the suggestion that the firm was not in compliance with PCI-DSS at the time of the breach, despite the fact that Trustwave claims to provide guidance to millions of businesses on reaching the standard. Also, the filing claims that POS terminals in-store were not protected by any form of antivirus software. Trustmark National Bank and Green Bank also say that the retailer should not have allowed a third party contractor to have access to its network.
Lawsuit aside, the effects on Target don’t make pretty reading either. The company recently announced a fourth quarter fall in profits of 46%. The direct costs of the breach to the company already stand at $61 million with only $44 million of that being covered by cyber insurance. Further significant losses are also to be expected as further costs from fraud become quantifiable and attributed to the business.
All in all then I think it is quite obvious that a data breach is bad news for any business on many different levels, ranging from the obvious financial aspects to potential legal action and, even more importantly, possible damage to reputation.
Whilst its obvious that not every business will be attacked in this way, UK businesses do still have cause for concern.
So have you done everything you can to minimise the chances of your business being breached? Have you trained your staff to look for evidence of attack and to respond accordingly? Is your company looking at its risk management framework and the various standards such as PCI-DSS and ISO 27001? Has your organisation been proactive in preparing an incident response plan should the worst happen?