Target Ruled Negligent in Massive Holiday Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

Industry watchers have long expected Target and other retailers to
eventually find themselves liable for stolen identities and bank fraud
stemming from the high-profile point-of-sale (POS) breaches that have
become a sad norm on the cyber-incident front. Now, a Minnesota court has
paved the way for a series of lawsuits by banks looking to recover their
losses, which they say range into the billions for the last year alone.

Judge Paul A. Magnuson of the Minnesota District Court has ruled that
Target was negligent in the massive 2013 holiday shopping season data
breach. As such, banks and other financial institutions can pursue
compensation via class-action lawsuits.

“Although the third-party hackers’ activities caused harm, Target played a
key role in allowing the harm to occur,” Magnuson wrote in his ruling.
“Indeed, Plaintiffs’ allegation that Target purposely disabled one of the
security features that would have prevented the harm is itself sufficient
to plead a direct negligence case.”

The attack was made possible by Target’s poor network sequestration; the
attackers were able to access the POS network and exfiltrate payment card
data for 40 million victims via an HVAC contractor’s credentials. Those
same hackers also lifted personal data for 70 million in-store shoppers.

Also, the big-box giant admitted that an early-warning system from FireEye
that was in place was ignored despite multiple alarms. In the wake of the
revelations, several of Target’s C-suite resigned.

Retailers have argued that they are already paying their share of cost. In
a letter from the National Retail Federation and the Retail Industry
Leaders Association, the assertion is made that costs are borne equally
between financial institutions and retailers, noting that “merchants
collectively spend $6 billion annually on data security and are proactively
leading the charge for chip-and-PIN deployments.”

Credit Union National Association president and CEO Jim Nussle strongly
took issue with the claim.

"As we have documented in two surveys this year, data breaches at retailers
have cost credit unions and their members a minimum of $90 million—and
those are the costs only for breaches at Target, for $30 million, and Home
Depot, at nearly $60 million," Nussle said in a statement.

He added, "With the many other breaches that have also occurred—at Staples,
Neiman-Marcus and others—certainly credit unions have incurred millions
more in costs this year. In our most recent survey…credit unions told us
that—to date—they have received no reimbursements for the Target breach,
now more than 10 months after the breach occurred.”

It would appear that the courts, for now, agree with him.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!