On Tuesday, a District Court judge in Minnesota ruled [PDF] that a group of banks can proceed to sue Target for negligence in the December 2013 breach that resulted in the theft of 40 million consumer credit card numbers as well as personal information on 70 million customers. The banks alleged that Target had “failed to heed warning signs” that would have stymied the banks' losses.
The breach occurred between mid-November and mid-December in 2013, after hackers placed malware on Target POS systems that made it possible for them to steal credit card numbers as consumers swiped. The vast number of people affected by the breach made Target's hack the most notorious, but subsequent reports revealed that Target was only one of many big-name retail stores that had credit card data stolen—Neiman Marcus, Michaels, and later Home Depot customers were also revealed to be targets.
After the breach, multiple banks and consumers sued Target in Minnesota, where the company is headquartered. The lawsuits from both banks and consumers were grouped together into two consolidated class action complaints. Target filed a motion to dismiss the claims made by the financial institutions, but District Court Judge Paul A. Magnuson ruled that the plaintiffs' claims were valid.
The decision could lead to significant changes in the way the cost of fraud is distributed among parties in the credit card ecosystem. Where once banks and merchant acquirers would have to shoulder the burden of fraud (which is how they have long justified increasing Interchange Fees), now, potentially, the order from Magnuson could pave the way for more card-issuing banks to sue merchants for not protecting their POS systems properly.
And if the plaintiffs in this case prevail in court, the costs to Target and other merchants could be steep. The New York Times reports that “The cost of replacing stolen cards from Target’s breach alone is roughly $400 million—and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.” Last month, Home Depot revealed that it had civil lawsuits filed against it in the wake of its summer hack. Those claims, however, were filed by state and federal agencies and appear not to have involved banks seeking financial restitution.
Magnuson said on Tuesday that the financial institutions had presented plausible claims that Target did not secure its systems properly.
“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” the judge wrote in his order. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”
Target had purchased and installed a new security program from FireEye just months before the breach. But among the litany of security issues that the plaintiffs say Target fumbled (which you can read on pages 59 to 66 here [PDF]), the complaint against Target also claims that the retailer ignored security alerts from that same software.
“On or about November 30, 2013, the hackers installed exfiltration malware – a program that takes the stolen information and moves it from Target’s computer systems to the hackers’ computer systems after several days,” the complaint reads. “FireEye, Target’s new security software provider, detected that the hackers were uploading the malware and alerted Target’s security team about the suspicious activity. Target’s security team took no action.”
Anonymous sources connected to the federal investigation of Target also confirmed that version of events to The New York Times.
The judge also ruled that a bank suit against Target is valid because the plaintiffs adequately showed that Target failed “to disclose that its data security systems were deficient.”
Comments
Post a Comment