Banks Scorch Target for Giant Data Breach
DALLAS (CN) - Two credit unions and a bank have joined the long list of plaintiffs suing Target for its massive data breach.
Employees Credit Union, of Dallas; KC Police Credit Union, of Kansas City, Mo.; and American Bank of Commerce, of Wolfforth, Texas, filed a proposed class action against the Minneapolis-based retailer Thursday in Federal Court.
Target announced in December that data for as many as 40 million credit and debit cards used from November 27 to December 15 in its stores were stolen. It later increased the number of possible data breaches to 70 million or more.
Stolen information included names, credit card numbers, expiration dates and the three-digit security codes on the back of the cards.
At least 53 lawsuits have been filed against Target since the breach, according to the Courthouse News database.
In the most recent case, the financial institutions claim as many as 70 million identities were stolen.
The credit unions and bank claims they will have to pay to cancel and reissue compromised cards, absorb fraudulent charges made on the cards, and lose anticipated profits from the most lucrative retail month of the year, between Thanksgiving and Christmas.
The credit unions claim Target knew its point-of-sale system was vulnerable to attack as far back as 2007.
They say hackers used a vulnerability in the system through an outside refrigeration contractor that was allowed to link remotely to Target's internal network. The hackers installed malware on the payment card-swiping machines at each of Target's 1,800 locations to steal the information, according to the complaint.
"The Target data breach could have been prevented. As early as 2007, Target was warned by a data security expert about the possibility of a data breach in its point-of-sale system," the 59-page complaint states. "Target was told how to prevent such a breach and, if the preventative measures were not taken, warned that a data breach could result in as many as 58 million payment cards being compromised - an amazingly accurate prophecy. Even though Target described the security expert's suggestions as 'good ideas,' on information and belief, it did not implement them."
The banks claim that had a layered security system been in place, the hackers would have had to determine how to deploy their malware and then determine how to get around the antivirus software running on the payment terminals.
"Even if they could have accomplished these feats - which they would not have been able to do - the malware would have been blocked by the firewall or network segmentation when trying to access the Internet," the complaint states. "Had Target taken even the most fundamental layered data security measures, the breach would not have happened."
Molly Snyder, Target's group manager for public relations, declined to comment on the lawsuit Friday morning.
The financial institutions seek actual and punitive damages for negligence, negligent misrepresentation, breach of contract, unjust enrichment and racketeering. They are represented by Richard Coffman in Beaumont.