Industry watchers have long expected Target and other retailers to eventually find themselves liable for stolen identities and bank fraud stemming from the high-profile point-of-sale (POS) breaches that have become a sad norm on the cyber-incident front. Now, a Minnesota court has paved the way for a series of lawsuits by banks looking to recover their losses, which they say range into the billions for the last year alone.
Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits.
“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”
The attack was made possible by Target’s poor network sequestration; the attackers were able to access the POS network and exfiltrate payment card data for 40 million victims via an HVAC contractor’s credentials. Those same hackers also lifted personal data for 70 million in-store shoppers.
Also, the big-box giant admitted that an early-warning system from FireEye that was in place was ignored despite multiple alarms. In the wake of the revelations, several of Target’s C-suite resigned.
Retailers have argued that they are already paying their share of cost. In a letter from the National Retail Federation and the Retail Industry Leaders Association, the assertion is made that costs are borne equally between financial institutions and retailers, noting that “merchants collectively spend $6 billion annually on data security and are proactively leading the charge for chip-and-PIN deployments.”
Credit Union National Association president and CEO Jim Nussle strongly took issue with the claim.
"As we have documented in two surveys this year, data breaches at retailers have cost credit unions and their members a minimum of $90 million—and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million," Nussle said in a statement.
He added, "With the many other breaches that have also occurred—at Staples, Neiman-Marcus and others—certainly credit unions have incurred millions more in costs this year. In our most recent survey…credit unions told us that—to date—they have received no reimbursements for the Target breach, now more than 10 months after the breach occurred.”
It would appear that the courts, for now, agree with him.