Digital Transactions Authoritative, insightful and timely information for payments professionals
Trustwave Holdings Inc., the leading provider of Payment Card Industry data-security standard (PCI) services to merchants, on Monday became the target of a lawsuit arising from the massive data breach at Target Corp. The suit, filed in U.S. District Court in Chicago by two banks, claims negligence on the part of Target and Trustwave for their alleged failure to prevent customer data from being stolen.
Target faces nearly 100 lawsuits from financial institutions and consumers in the wake of the breach it disclosed in December that compromised 40 million payment card numbers and non-card data on 70 million consumers. The new suit, however, reportedly is the first that connects Trustwave to the breach. Merchants typically do not identify their PCI service providers, and providers rarely name their clients.
Spokespersons for both Chicago-based Trustwave and Minneapolis-based Target said they would not comment on pending litigation.
The plaintiffs are New York City-based Trustmark Bank and Houston-based Green Bank N.A. Both banks issue MasterCard-branded credit and debit cards that were compromised in the breach. They are seeking unspecified damages of more than $5 million for their breach-related costs, including card re-issuance and fraud losses, and they also want class-action status for their suit on behalf of other financial institutions whose cards were compromised in the breach.
The suit alleges Target failed to comply with PCI’s rules for protecting its computers and point-of-sale network from hackers. The No. 2 general retailer also allegedly failed to meet requirements spelled out in the federal Fair and Accurate Transactions Act (FACTA) intended to prevent identity theft, as well as provisions of the Minnesota Plastic Card Security Act. The suit claims the Minnesota law is “one of the strongest consumer data-protection statutes in the country, which specifically codified some of the most pertinent provisions of the PCI DSS.”
Target reported to Congress in February that it passed its annual PCI audit last September. The company didn’t disclose the auditor, but the suit says “Target retained Trustwave during the relevant period of time to protect and monitor Target’s computer systems, and to bring Target’s systems into compliance with PCI DSS and other industry standards for protecting customers’ PII [personal identifying information] and sensitive payment card information.”
The suit goes on to say that, “On information and belief, Trustwave scanned Target’s computer systems on Sept. 20, 2013 and told Target that there were no vulnerabilities in Target’s computer systems.”
In addition, “Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.” The breach occurred between Nov. 27 and Dec. 15.
The plaintiffs cite press reports about how vulnerable Targets systems actually were. In a now-familiar story, hackers, apparently from Russia, gained access to Target's network using credentials stolen from a small Pennsylvania Target contractor, planted malware that grabbed customers’ card information from Target’s POS systems, parked it for a time in a Target server they controlled, and then exported it for sale on the black market.
In related news, Target’s chief financial officer, John Mulligan, is scheduled to testify Wednesday at a U.S. Senate committee hearing about how the retailer had clues about the breach weeks before responding, according to the Bloomberg news service. Target had installed an expensive intrusion-detection system called FireEye that alerted a Target technology operation in India before hackers had removed any data from its computers. The India office notified Target’s headquarters, but no one there responded, Bloomberg’s Businessweek magazine reported March 17.
The hearing before the Senate’s Commerce, Science, & Transportation Committee is titled, “Protecting Personal Consumer Information From Cyber Attacks and Data Breaches” and is set for 2:30 p.m. Eastern. Another scheduled witness is Ellen Richey, chief enterprise risk officer at Visa Inc.
