Menu
Security vendor Trustwave named in US Target-related suit

Security vendor Trustwave named in US Target-related suit

Trustwave should have detected and prevent the attacks, the suit claims

Security vendor Trustwave was accused in a class-action suit of failing to detect the attack that led to Target's data breach, one of the largest on record.

Target, which is also named as a defendant, outsourced its data security obligations to Trustwave, which "failed to live up to its promises or to meet industry standards," alleged the suit, filed Monday in U.S. District Court for the Northern District of Illinois.

Plaintiffs Trustmark National Bank of New York and Green Bank of Houston claim Target and Trustwave failed to stop the theft of 40 million payment card details and 70 million other personal records.

The lawsuit, one of dozens filed against Target, illustrates the growing frustration of banks burdened with the costs of reissuing compromised cards and their willingness to pull in other companies viewed as culpable into legal battles.

Support agreements between companies and security vendors are often confidential, and it was not clear from the suit how the banks determined Trustwave was one of Target's contractors.

A Trustwave spokeswoman said Tuesday via email the company doesn't confirm its customers or comment on pending legal matters. Target also said it also does not comment on pending litigation.

The suit contends Target retained Trustwave to monitor its computer systems and ensure compliance with PCI-DSS, an industry security recommendation pushed by MasterCard and Visa to protect cardholder data from leaking.

Trustwave claims on its website to provide guidance to millions of businesses for compliance with PCI standards with testing and assessment teams.

Trustwave scanned Target's network on Sept. 20, 2013 and told Target no vulnerabilities were found, the suit alleges.

Target has said it believed attackers stole the data between Nov. 27, 2013, and Dec. 15, 2013, via malicious software installed on point-of-sale devices.

The malware collected unencrypted payment card details after a card was swiped and briefly held in a computer's memory, capitalizing on a unknown weakness despite years of efforts to harden payment systems.

U.S. banks have spent more than US$172 million reissuing cards, the suit said, citing figures from the Consumer Banker Association. The total cost of the breach to retailers and banks could exceed $18 billion, the suit claims.

The suit, which asks for a jury trial, seeks unspecified compensatory and statutory damages.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityfraudmalwaredata breachintrusiontrustwaveTargetIdentity fraud / theft

Featured

Slideshows

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments