Chicago-based security and compliance vendor Trustwave Holdings Inc., one of the most prominent PCI DSS compliance assessment firms in the industry, has been named in a lawsuit filed by two banks in relation to Target Corp.'s massive data breach over the holiday shopping period.
The Target lawsuit, filed Monday in U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, largely laid the blame for the breach at the feet of Minneapolis-based retailer.
The eight-count suit includes counts of negligence, three counts related to violations of Minnesota state statues, and counts seeking financial compensation for costs incurred by the banks as a result of the breach.
According to reports, attackers took advantage of the way in which Target allowed a third-party vendor, reportedly Pennsylvania-based Fazio Mechanical Services, to access its networks and improperly store payment card data. Attackers then planted malware on Target's point-of-sale systems, swiping payment card data and exfiltrating it from Target's network during a period of several weeks.
According to the lawsuit, Trustwave's negligence played a vital part in the breach, which resulted in the compromise of data from 40 million credit and debit cards, as well as personal information of 70 million of the retailer's customers. Target contracted Trustwave, according to the legal filing, to protect and monitor its systems and help bring them into compliance with PCI DSS and other relevant payment card and customer data security regulations during the period in which the breach occurred.
"Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems," according to the legal brief, which was first reported by ChicagoBusiness.com. "Trustwave also provided round-the-clock monitoring services to Target, which [were] intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch."
The filing goes on to accuse Trustwave of failing to "meet industry standards," and ultimately, the company "did not discover and report the data breach to Target or the public" in a timely manner. Target's systems were compromised during the course of nearly three weeks, from Nov. 27 to Dec. 15, though industry reports differ regarding whether Trustwave alerted Target to the breach.
Though the inclusion of Trustwave in the Target lawsuit may be seen by some in the industry as a harbinger of things to come, this is actually not the first instance in which the Chicago-based security and compliance vendor has been named in data breach litigation.
Trustwave was also involved in a lawsuit relating to the 2012 breach at South Carolina's Department of Revenue, an incident that involved the theft of millions of South Carolinian's Social Security numbers, as well as payment card and bank account data. The company was included in that suit because the Department of Revenue had chosen Trustwave's security services in favor of South Carolina's own Department of State Information Technology.
Estimating that financial institutions will spend approximately $172 million to replace payment cards, along with total losses potentially hitting $18 billion, the banks that filed the lawsuit are seeking damages in excess of $5 million from Target and Trustwave.
Both Trustwave and Target declined SearchSecurity's request for comment on the pending litigation.