News Stay informed about the latest enterprise technology news and product updates.

Target breach lawsuit pins partial blame on security vendor Trustwave

The lawsuit cites Target for negligence in its massive data breach, and accuses Trustwave of not spotting the incident in a timely manner.

Chicago-based security and compliance vendor Trustwave Holdings Inc., one of the most prominent PCI DSS compliance assessment firms in the industry, has been named in a lawsuit filed by two banks in relation to Target Corp.'s massive data breach over the holiday shopping period.

The Target lawsuit, filed Monday in U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, largely laid the blame for the breach at the feet of Minneapolis-based retailer.

The eight-count suit includes counts of negligence, three counts related to violations of Minnesota state statues, and counts seeking financial compensation for costs incurred by the banks as a result of the breach.

According to reports, attackers took advantage of the way in which Target allowed a third-party vendor, reportedly Pennsylvania-based Fazio Mechanical Services, to access its networks and improperly store payment card data. Attackers then planted malware on Target's point-of-sale systems, swiping payment card data and exfiltrating it from Target's network during a period of several weeks.

According to the lawsuit, Trustwave's negligence played a vital part in the breach, which resulted in the compromise of data from 40 million credit and debit cards, as well as personal information of 70 million of the retailer's customers. Target contracted Trustwave, according to the legal filing, to protect and monitor its systems and help bring them into compliance with PCI DSS and other relevant payment card and customer data security regulations during the period in which the breach occurred.

"Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems," according to the legal brief, which was first reported by "Trustwave also provided round-the-clock monitoring services to Target, which [were] intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch."

The filing goes on to accuse Trustwave of failing to "meet industry standards," and ultimately, the company "did not discover and report the data breach to Target or the public" in a timely manner. Target's systems were compromised during the course of nearly three weeks, from Nov. 27 to Dec. 15, though industry reports differ regarding whether Trustwave alerted Target to the breach.

Though the inclusion of Trustwave in the Target lawsuit may be seen by some in the industry as a harbinger of things to come, this is actually not the first instance in which the Chicago-based security and compliance vendor has been named in data breach litigation.

Trustwave was also involved in a lawsuit relating to the 2012 breach at South Carolina's Department of Revenue, an incident that involved the theft of millions of South Carolinian's Social Security numbers, as well as payment card and bank account data. The company was included in that suit because the Department of Revenue had chosen Trustwave's security services in favor of South Carolina's own Department of State Information Technology.

Estimating that financial institutions will spend approximately $172 million to replace payment cards, along with total losses potentially hitting $18 billion, the banks that filed the lawsuit are seeking damages in excess of $5 million from Target and Trustwave.

Both Trustwave and Target declined SearchSecurity's request for comment on the pending litigation.

Dig Deeper on Information security laws, investigations and ethics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security. Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements. So how did this happen?

- First, compliance is often used as a guide to the least possible amount of security necessary to comply.

- Second, regulations are based on best practices to provide a baseline of security for past threats, not a solution to maximize security for the future.

- Security auditors often come in selling a solution, rather than looking for a problem.

- In other cases, auditors are paid to come in and find what they’re told to find by the very company they’re supposed to be assessing!

- Many companies rely on access controls and firewalls for security, even though they consistently fail to prevent breaches.

- SIEM solutions are fogged by noise and usually find evidence only after a breach has already occurred.

Ulf Mattsson, CTO Protegrity
Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself. Decoupling the assessment from the solution is vital to an unbiased audit. I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed.

Ulf Mattsson, CTO Protegrity
In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization. Studies have shown that users of data tokenization experience up to 50 percent fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users.

With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.

Ulf Mattsson, CTO Protegrity
Failing to properly secure customer data, enabling the theft of about 40 million payment card records plus 70 million other records, including addresses and phone numbers.
Well, As much as I want to agree with all that Ulf Said.  What Best Practices?  Who sets them?  Who decides they are best?  And do they come with expiration dates, because in my experience, these security issues crop up where you thought you had your bases covered, all it takes is one update to cause an issue, just one.