CHICAGO (CN) - Kmart's failure to protect customer information with "elementary" security measures left banks liable for the resulting fraud, a federal class action claims.
First NBC Bank filed the class action Tuesday against Kmart Corp. and parent company Sears Holding Corp, regarding an announcement that hackers had breached Kmart's payment-data systems in early September.
Kmart warned that customers who had used a credit card there for the past five weeks may have had their financial information stolen.
First NBC Bank says the infiltration occurred because Kmart's outdated anti-virus system had not been updated to detect the malware that the hackers used.
"POS registers at its stores were infected with software that stole customer credit and debit card information from the registers," the complaint states, using the abbreviation for point of sale.
Target fell victim to this same strategy in 2013, but Kmart made no efforts to protect its customers' data amid evidence that it was vulnerable to a similar attack, the bank claims.
"The deficiencies in Kmart's security system include a lack of elementary security measures that even the most inexperienced IT professional could identify as problematic," according to the complaint.
First NBC Bank says that Kmart's security system did not measure up to core security standards that the payment card industry requires of merchants. Visa allegedly warned of the specific threats to which Kmart fell victim as early as 2009.
"Despite the fact that defendants were put on notice of the very real possibility of consumer data theft associated with their security practices and despite the fact that defendants knew or, at the very least, should have known about the elementary infirmities associated with the Kmart security systems, they still failed to make necessary changes to their security practices and protocols," the bank says.
This alleged negligence left the card-issuing banks and institutions liable for fraudulent card activity, as well as the cost of identity protection measures.
"Defendants' public statements to customers after the data breach plainly indicate that defendants believe that card-issuing institutions should be responsible for fraudulent charges on cardholder accounts resulting from the data breach," the complaint states. "While Kmart has made free credit monitoring available to consumers affected by the data breach, it has made no overtures to the card-issuing institutions that are left to pay for damages as a result of the breach."
Kmart has not revealed how many customers the breach affected.
First NBC seeks damages for violation of the Illinois Personal Information Protection Act, fraud, negligence and negligent misrepresentation.
It is represented by Lori Fanning with Miller Law.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.