A series of legal actions have begun over the serious breach suffered by US retailer Target.
According to the complaint, as “Target and Trustwave failed their duties to 110 million customers, it falls to the Banks and the other Class members to protect those customers by reissuing their credit and debit cards, and communicating with those customers to prevent fraud and repay any fraudulently-made purchases”.
The ruling said that the banks and the other class members have therefore been damaged by defendants’ actions and are entitled to recover those damages. Also as Target outsourced its data security obligations to Trustwave, the ruling states that this “failed to bring Target’s systems up to industry standards”.
Trustwave scanned the Target systems in September 2013 and told them that there were no vulnerabilities in their computer systems. However, reports found that Target kept credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network because of vulnerabilities in their security systems that were “either undetected or ignored by Trustwave”.
As a result of this, hackers were able to take 40 million payment card records, encrypted PINs and 70 million records containing Target customer information over the course of two weeks.
The complaint also said that Trustwave provided round-the-clock monitoring services to Target, which was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. However, the data breach continued for nearly three weeks on Trustwave’s watch. “Trustwave failed to live up to its promises, or to meet industry standards. “Trustwave’s failings, in turn, allowed hackers to cause the data breach and to steal Target customers’ PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the data breach to Target or the public,” the complaint said.
Commenting, Craig Young, security researcher at Tripwire, said: “It will be interesting to see which factors the judge and jury consider when determining whether Trustwave should be held accountable for some portion of damages resulting from the Target breach. If the courts were to assign blame solely to Trustwave, security auditors could start to be viewed as another type of insurance policy against data breaches.”
Calum MacLeod, VP of EMEA at Lieberman Software Corporation, said: “So why do they stop at Trustwave? Why not sue all the security vendors who supply Target. Surely they are all culpable. What this should do is serve as a wakeup call that ticking a compliance box is no longer sufficient.
“The problem with compliance is that those who are required to comply will focus on minimum requirements. Maybe finally someone will realize that ticking a box in an RFP is not the answer and maybe it’s time for vendors in the security space to modify their language. Phrases like Stop Advanced Attacks, Total Security for Business, Avoid Breaches, Achieve Compliance, and Stop Insider Threats, and any such claims should all come with a disclaimer that says ‘This has been written by our Marketing Department and no liability is accepted for the complete inaccuracy of such statements’.”