Target Knew of Data Breach Risks Since 2007 Alleges Class Action Lawsuit
Following last month’s massive data breach, Target faces a new class action lawsuit alleging the retail giant has known since 2007 that its point-of-sale system was vulnerable to a cyber attack, but chose not to take proper steps to update its systems and protect its customers.
Class Action Lawsuit – Target Ignored Expert Security Warnings Back in 2007
The class action complaint, filed in the U.S. District Court for the Northern District of California, charges Target with negligence, unfair business practices and violation of security breach disclosure laws.
The complaint alleges that Target was warned of its vulnerability to a hacker attack in 2007 when security expert Neal Krawetz published a white paper explaining the security risks in point-of-sale systems (POS) and how all the information on a credit or debit card (name, card number, expiration date and CVV on back of the card, PIN #s) could be compromised unless such POS systems were upgraded. Krawetz’s paper used Target as a case-study to illustrate the security problem, particularly with regard to how consumer credit card information is stored by the company and other large retailers. Target’s IT developer responsible for the POS system acknowledged reading the white paper and requested it be reviewed by other Target employees. Target, however, evidently decided not to act on Krawetz’s warnings and did nothing to implement the recommended data security protocols.
The lawsuit further alleges that at the time, Target lacked full PCI-compliance (meaning the company’s systems did not conform with the Payment Card Industry (PCI) data security standards) with regard to how credit and debit card data is handled and stored. PCI-compliance is considered a minimum level of data security for major businesses and only one aspect of a comprehensive data security program.
Target’s Massive Data Breach and the Disclosure Failures that Followed
Target’s security failings aren’t its only legal problem. After the breach, Target unfortunately did little to mitigate customer harm following the breach. Target kept news of the breach relatively quiet for several days and, when it did inform the public, it elected to publish the news on its web page rather than engage in a full media disclosure.
Target initially reported up to 40 million customers’ credit and debit card accounts were hacked over a 19-day period during the Christmas shopping season (Nov. 27, 2013 – Dec. 15, 2013). Later, Target admitted the breach was more widespread than initially estimated and an additional 70 million customers personal information was compromised, bringing to the total number of breach victims to a staggering 110 million people. Just as Krawetz had warned back in 2007, customers’ credit and debit card numbers, expiration dates and security codes encrypted in the card magnetic strips were all compromised.
Millions of consumers were left vulnerable to financial and identity theft as a result. However, many consumers had to first learn of the breach by discovering fraudulent transactions on their credit and banking reports. Target’s “too-little, too-late” type of disclosures violate certain state breach notification laws, as may be the case in California according to the lawsuit.
How Do I Get More Information?
If you have experienced problems with the Target data breach, contact the experienced attorneys at Audet and Partners, LLP for a free evaluation of your legal options. Call us at (800) 965-1461 or fill out the confidential case inquiry form on the right side of this web page.