Breach, Data Security

Target tells court its not liable in bank class-action suit

According to a dismissal filing made in a federal court Sept. 2 Target doesn't believe that it should be held liable for costs incurred by financial institutions as a result of the retailer's now infamous data breach last December.

A group of banks had filed what eventually became a multibillion-dollar class-action lawsuit against Target, contending that its negligence in handling credit and debit card data led to hackers snagging information on about 100 million consumers in this country, a report in the Twin Cities Pioneer said. The financial institutions in an August suit said that they “have suffered substantial losses” that they blame on “Target's failure to adequately protect sensitive payment data. Those losses include everything from the cost of notifying customers and reissuing cards to “reimbursing customers for fraudulent transactions” and paying for credit monitoring.

They claimed that the Minneapolis-based retailer is in violation of federal law and also broke state law by hanging on to the information after transactions were completed. But Target's attorneys argued this week in a U.S. District Court in Minnesota that the company is not legally accountable because it, like other retailers get “authorization and payment for the transaction” when a customer swipes a card “from a payment processor and/or merchant bank” rather than a “bank that issued the card.”

Banks, in turn, have contracts with card payment companies like MasterCard and “obtain authorization and payment” from them, Target's attorneys said, so merchants “have no direct dealings” with banks during the payment process. And, they claimed, Target did not store the sensitive information but rather the breach occurred as attackers snagged the data in real time when consumers swiped their cards.

Stolen vendor credentials were eventually blamed for the breach. And in last week's filing, attorneys for the company pointed that out that hackers “deployed custom point-of-sale malware to Target's registers” that allowed them to snare customer information in real-time at the register. But Businessweek reported in March that at the end of 2013, the retail giant installed a $1.6 million malware detection system from security company FireEye that later picked up on the attackers' suspicious activity – on multiple occasions, but Target seems to have done nothing about it.

The company's reputation and financials have taken a hit in the aftermath and the high-profile breach caused a shakeup at the top of its organizational chart as well as in its IT and security departments.

And Target has been hit with more than 140 lawsuits, which have been consolidated into three groups — consumer lawsuits, financial institution complaints, or shareholder claims —in the U.S. District Court in Minnesota.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.