News Stay informed about the latest enterprise technology news and product updates.

Banks drop Target breach lawsuit amid Trustwave liability questions

It remains unclear whether Trustwave could be held liable for Target's massive 2013 data breach in future litigation.

Two banks have suddenly dropped what was expected to be a precedent-setting lawsuit related to the massive data...

breach at Target Corp., perhaps temporarily sparing the retailer's audit firm, Trustwave Holdings Inc., from being held liable for its client's breach.

They're all PCI compliant, and they're all being breached.

Michael Scheidell,
managing partner, Security Privateers

In the lawsuit, which was filed on March 25 in Chicago's U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, the Minneapolis-based retailer was blamed for the weeks-long data breach, which occurred during the 2013 holiday shopping period. The breach resulted in the theft of approximately 40 million credit and debit card numbers, as well as the personal information of 70 million customers.

Unusually, the banks also sought to pin liability on Trustwave, one of the most prominent PCI DSS compliance assessment firms in the industry, alleging that Target had contracted the company to perform a number of security services, including providing "round-the-clock monitoring services" for its systems and bringing the company into compliance with PCI DSS standards.

Specifically, the lawsuit alleged Trustwave had "told Target that there were no vulnerabilities in Target's computer systems" after performing a scan on Sept. 20, 2013, and ultimately accused the security vendor of failing to "meet industry standards" by not spotting the Target breach in a timely manner.

Trustwave last week repeatedly declined to comment on the suit, but over the weekend the company published a short statement from its CEO, Robert McCullen, on its website denying some of the allegations laid out in the legal filing.

"Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations," McCullen said in the statement. "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Though unclear what impact Trustwave's statement had on the pending litigation,, who first reported on the lawsuit, confirmed court documents indicated the filing has been dropped, though noted it was "dismissed without prejudice," opening the doors for the suit to be refiled in the future.

At the time of publishing, neither Trustmark Bank nor Green Bank responded to SearchSecurity's requests for comment. A Trustwave spokesperson said the company had no further comments at this time.

Michael Scheidell, managing partner for Boca Raton, Fla.-based IT assessment firm Security Privateers, said the lawsuit's allegations had seemed a "little strange." He questioned whether pulling the filing meant the banks' sources behind the information on Trustwave's involvement in the Target breach were reliable.

Though Trustwave's McCullen pointedly denied a number of allegations in his statement, including monitoring Target's systems and processing any cardholder data, McCullen did not deny that Target was a Trustwave client, Scheidell noted, nor that the security vendor had performed at least one PCI assessment for the retailer. If Trustwave did perform an assessment, Scheidell found the possibility of the auditors not finding any vulnerabilities, as indicated in the lawsuit, to be absurd.

"I've been doing this 14 or 15 years, and I've never not found a vulnerability" during an assessment, Scheidell said. "There's always something somewhere -- whether it's small or big, whether it's hard to take advantage of or leads to a data breach, there [are] always vulnerabilities somewhere. So that is a ridiculous statement."

Scheidell said it was unlikely a company the size of Trustwave would purposely ignore problems discovered during an assessment in order to keep a client happy, though he warned auditors and other companies that perform security assessments to be careful when negotiating final reports with clients.

While Scheidell said he has rarely ran into problems with clients that commission assessments, on one occasion a customer did ask his firm to change its assessment results because it couldn't hand over the findings to the executive committee without being asked to fix some issues. In that case, he said the problem was that the customer was running software that could no longer receive updates, a problem many merchants with Windows XP-based systems will face next week when XP's end-of-life date comes to pass.

"There's always the temptation for auditors to make the report look better," Scheidell said, "so they get that business next year."

Enterprises also need to adjust their expectations for what an assessment can accomplish, Scheidell said, especially when a company is found to be compliant with PCI DSS or another regulatory standard. In particular, he noted that PCI auditors come in at scheduled times and that IT and security teams have become adept at giving the auditors what they want. He said being PCI-compliant, as Target reportedly was, does not mean the organization is secure.

"PCI compliance in itself does not mean you're not vulnerable," Scheidell said. "It just means you met the specific requirements for that snapshot; that point in time when auditors came in.

"They're all PCI-compliant, and they're all being breached."

Dig Deeper on PCI Data Security Standard

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Should a PCI DSS assessment firm be held liable if its customer suffers a data breach?
This PCI monitoring service requirement was brought about by card processors to shift the responsibility for loss. The companies like trust wave found a way to make money from the requirement. If they are not held accountable for their responsibility of testing and verifying compliance for the companies that hire them, then they are no better than the old elixir salesman who claims to cure what ails ya. Any company the accepts credit cards (including target) does take risks when they do. However these companies hire companies like trust wave with the belief that if they become compliant that they are better off and have done everything they can do and is required of them to protect card holder information. If companies like trustswave can't or won't hold up their end of the bargain what is a company to do?
Yes  a retail business stores payment card data in its computer system, it must make sure that the data is secure from hackers. Data needs to be protected by a firewall, and certain measures should be taken to make the network secure from both internal and external unauthorized access. 
Yes. They are the experts that are paid big bucks to help companies identify and assess vulnerabilities - however minor. This is the first step of due diligence a customer can take to remediate these weaknesses and they failed their customer. In addition, unless they are part of the solution/consequence, they don't have enough at stake to make them care.
Should a PCI DSS assessment firm be held liable if its customer suffers a data breach?

No, definitely not. I completely agree with this part:

"PCI compliance in itself does not mean you're not vulnerable," Scheidell said. "It just means you met the specific requirements for that snapshot; that point in time when auditors came in."

In any case, if you want the firm to be responsible for data breaches or some other type of incidents, that should be written in the contract (if they accept to do business with you with a clause like that, and if you accept to pay them what they might want to charge for accepting a clause like that).
NO ONLY owner of data is accountable.
Tax security policies recover some costs incurred from Target’s managed data security services provider, presumably for negligence or not detecting the vulnerability and fixing it