Trustwave has said that legal claims in regard to its involvement with the Target breach are without merit.
According to a statement posted online by chief executive Robert McCullen, the company said it is looking “forward to vigorously defending ourselves in court against these baseless allegations”.
He said: “As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.
“Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target. Our customers and business partners can continue to expect the quality and dedicated service Trustwave has provided them for almost 20 years.”
The complaint appeared last week, claiming that Target and Trustwave failed their duties to 110 million customers, and as Target outsourced its data security obligations to Trustwave, the ruling stated that this “failed to bring Target’s systems up to industry standards”.
The compliant said that Trustwave scanned the Target systems in September 2013 and told them that there were no vulnerabilities in their computer systems. However, reports found that Target kept credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network because of vulnerabilities in their security systems that were “either undetected or ignored by Trustwave”.
It also said that Trustwave provided round-the-clock monitoring services to Target, which was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. However, the data breach continued for nearly three weeks on Trustwave’s watch.
The banks who brought the action allege that they lost money from alerting customers to the breach, reimbursing fraudulent charges and reissuing cards. Those losses could increase if criminals ultimately use several million stolen cards as some analyst’s project, according to Reuters.
While the complaint seeks unspecified damages of at least $5 million, New York-based Trustmark and Houston-based Green Bank said losses could top $1 billion for card issuers they hope to represent in a class action, and $18 billion for banks and retailers combined.
Commenting, Ilia Kolochenko, CEO of High-Tech Bridge, said: “This is a very interesting case actually, as it’s not only the victim [Target] who is being sued for negligence but also their IT security auditor. I don’t think that we can accuse Trustwave of being responsible for the data breach, as they were performing security testing and auditing in accordance to the PCI DSS standard (at least this is what being said).
“Several years ago, I notified the PCI Council about vulnerabilities (including a critical one) on its own website. Obviously, PCI DSS standard is continuously improving, but I think that practically speaking it’s still far from being perfect today. This is why when a customer asks a security company to perform just a standard PCI DSS audit; we cannot blame the security company.”