Trustwave in the firing line in Target lawsuit

Legal payout could be significant in a breach whose costs may reach £10.9 billion (US $18 billion).

US DOJ to investigate Target data breach
US DOJ to investigate Target data breach

Two US banks have sued Trustwave for damages in connection with the major data breach at Target Corporation, the giant US retailer, late last year. 

The lawsuit damages of more than £3 million and names Trustwave Holdings and Target as defendants, says the American Banker, which broke the story

The suit cites figures from the Consumer Bankers Association which reveal that US banks have spent more than £103 million reissuing new cards to customers, noting that cost of the breach could top the £10.9 billion mark. 

The bank suit – from Trustmark National Bank and Green Bank NA - also requests a jury trial and seeks unspecified compensatory and statutory damages, meaning that - if successful - a payout could be in the billions of dollars range. 

Although the lawsuit names Trustwave and Target, the focus of the legal action appears to be against Trustwave, as it alleges that the security vulnerabilities were either undetected or ignored by Trustwave, giving hackers access to customer payment card details and allied information. 

Trustwave has refused comment on the lawsuit. The company filed for an IPO in April 2011. 

At that time it reported annual revenues of  £67 million, but still remains in private hands, meaning that its figures remain unreported.  The firm has, however, grown in the last few years, and now services more than two million client companies in 96 countries, which suggests the company's annual turnover has increased significantly. 

A report by the US Senate yesterday says that Target missed multiple opportunities to stop the hacker incursions into its systems, adding that Target gave access to its network to a third-party vendor that did not follow accepted information security practices. 

Several security vendors and industry experts - bar one - that SCMagazineUK.com approached refused comment on the case, with many citing commercial reasons. 

Steve Smith, managing director with Reading-based pen-testing specialist Pentura, however, said that virtually all enterprise security solutions need to be installed - and configured - correctly in order to secure a corporate IT system. 

In addition, he says, there is a need for regular updates to maintain protection against new security threats and vulnerabilities. 

"At an enterprise level, few solutions are plug-and-play so it's hard to see how a security vendor alone could be held liable in this type of situation," he said. 

"The lawsuit filed by the two banks names both the security vendor and the end-user as defendants, which implies the case will be looking into Target's internal security practices," he added. 

The lawsuit, however, claims that Trustwave scanned Target's network on September 20 last year and told the retailer that no vulnerabilities were found. 

Target itself has said it believes the attackers stole the data between the 27th of November and the 15th of December last year, using malicious software installed on the EFTPOS point-of-sale devices in regular use by customers at its many hundreds of branches. 

As previously reported, the malware is believed to have used RAM scraping techniques - capitalising on the fact that unencrypted debit or credit card details are held briefly in computer memory, before being encrypted and stored on a server's hard drive.