After 40 million cards were affected in the Target hacking incident that occurred in the weeks following Thanksgiving 2013, two banks have stepped forward and sued Target Corp. These two banks, New York City-based Trustmark National Bank and Houston-based Green Bank N.A., have also sued Trustwave. Trustwave Holdings Inc. is a data-security services provider that Target outsourced its data security to.
According to a report issued by the U.S. Senate committee, Target missed several opportunities to stop the breach. In an article by Jonathan Stempel, “Target, security auditor Trustwave are sued over data breach”, he reports that “According to the lawsuit, Minneapolis-based Target knew as early as 2007 that its systems were vulnerable but resisted making improvements, in part to keep costs down. It ultimately outsourced data security to Trustwave.”
Trustwave claims to have great expertise in payment card industry compliance, but its ability to keep its clients up to date is being greatly questioned after the Target incident. According to Stempel, “Trustwave failed to bring Target’s computer systems up to industry standards and as late as September 20 found ‘no vulnerabilities,’ the complaint said.”
Another puzzling part to this story is that Target still failed to act even after they employed new network monitoring tools by working with FireEye; FireEye specializes in Internet security. According to an article “Target Ignored Warnings before Hackers Stole 70 Million Credit Cards, says New Report” by Konrad Krawczyk, “On November 30, FireEye sent alerts to Target identifying that malware named ‘malware.binary’ was present on the retailer’s networks, and figured out which servers the hackers had taken over.” As these threats continued, more alerts were sent out. However, the security team at Target ignored the warnings.
Another puzzle has been the withdrawal of the lawsuits filed against Target and Trustwave by the two banks that sued them. According to Jim Daly of Digital Transactions, the lawsuits were dismissed in two separate motions only a week after they were originally filed. “Two of their attorneys did not respond to Digital Transactions News requests for comment. Both banks filed for dismissal without prejudice, which means they could return to court with an amended complaint.”
With Target and Trustwave refusing to comment on the situation and banks filing lawsuits and then withdrawing them, it seems that it has been a game of trying to find who is the most at fault. The underlying issue and concern, however, is how seriously businesses are really taking their security. In the end, it will determine whether customers feel secure to continue to shop and to spend their money at their favorite stores.