Security Experts:

Responding to Lawsuit, Trustwave Says Did Not Monitor Target's Network

After recently being named as a defendant in a lawsuit related to the massive data breach that hit Target Corp. late last year, Trustwave’s top executive has said the claims against the firm are without merit and that the company would vigorously defend itself against what he calls “baseless allegations”.

The complaint, filed March 24 on behalf of a number of financial institutions, names both Target and Trustwave and accuses the security company of failing to protect Target's systems.

In the compliant, the banks state Trustwave was hired by Target to protect and monitor the retailer's systems, and that the security vendor scanned Target's systems on Sept. 20, 2013, and found no vulnerabilities were present. Because of vulnerabilities in Target's network however, millions of payment card records were stolen, according to the complaint, which asks for unspecified damages.

“Contrary to the misstated allegations in the plaintiffs complaints, Target did not outsource its data security or IT obligations to Trustwave,” Trustwave’s CEO, Robert McCullen, wrote in a letter to customers posted to the company’s website March 29.

"Trustwave failed to live up to its promises, or to meet industry standards," the complaint said. "Trustwave's failings, in turn, allowed hackers to cause the Data Breach and to steal Target customers' PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the Data Breach to Target or the public.

McCullen argues that this is not the case and that it was not responsible for protecting Target’s data.

“Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target,” McCullen added.

While McCullen denied the allegations, he did not mention any relationship with Target or any services that were provided to the retail giant. A Trustwave spokesperson previously told SecurityWeek that the company does not comment on pending litigation or confirm the identities of customers.

And if Trustwave did provide compliance services to Target, we all know that compliance does not equal security. 

Related: Why Security Can't Live Without Compliance

RelatedThe New Compliance Checklist

RelatedPCI DSS 3.0: The Impact on Your Security Operations

RelatedNew Changes to PCI Data Security Standard 3.0 Published

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.