In December, a District Court judge in Minnesota ruled the banks affected by the Target breach in December 2013 will be allowed to sue for those losses.
After the high profile breach, banks and consumers sued Target in Minneapolis Minnesota, where the company is headquartered. The suits were then grouped together into two consolidated class action complaints.Target filed a Motion to Dismiss the claims made by the financial institutions,but District Court Judge Paul A. Magnuson denied the motion.
The background filed with the court in the case states that approximately 110 million Target customers had their debit or credit cards stolen in the breach. Other sources place the number of credit & debit cards stolen around 40 million. In addition, around 70 million customers had their personal information stolen.
The data breach occurred between November and December of 2013.The breach was caused by hacker placed malware on Target Point of Sale (POS) systems. This made it possible for the hackers to steal credit card numbers as consumers swiped their cards. In addition, Target stored the CVV code from the credit card which is a violation of Minnesota’s Plastic Security Card Act.
This outcome of the case could cause many changes in how the cost of fraud is determined and who ends up being responsible for the cost of fraud overall. As it is now, the banks and those who process the credit cards on behalf of the banks are responsible for the burden of any fraudulent credit card charges. The burden may shift to the merchant if they are not protecting their POS and data systems properly. If Target ends up being at fault, the payout will be in the hundreds of millions. One estimate puts the amount around$400 million.
This case is also reliant on the Payment Card Industry Data Security Standard (PCIDSS) which governs how payment card (credit/debit cards) data is handled. It has been a long held belief by security professionals that just because a company is “compliant” with the standard, does not mean data is secure.
Evidence Solutions' Data Breach Experts believe that companies can never become complacent with their security, ever.
