The fallout from the Target data breach has put security firm Trustwave in the middle of a class action lawsuit.
The complaint, which was filed March 24 in U.S. District Court in Illinois, names both Target and Trustwave and accuses the security company of failing to protect Target’s systems.
Contacted by SecurityWeek, a Trustwave spokesperson said the company does not comment on pending litigation or confirm the identities of customers.
The complaint was filed on behalf of Trustmark National Bank and Green Bank, N.A., and “all other similarly situated financial institutions.”
In the compliant, the banks state Trustwave was hired by Target to protect and monitor the retailer’s systems, and that the security vendor scanned Target’s systems on Sept. 20, 2013, and found no vulnerabilities were present. Because of vulnerabilities in Target’s network however, millions of payment card records were stolen, the complaint states.
“Additionally…Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII [personally-identifiable information] or other sensitive data,” the complaint reads. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”
“Trustwave failed to live up to its promises, or to meet industry standards,” the complaint continues. “Trustwave’s failings, in turn, allowed hackers to cause the Data Breach and to steal Target customers’ PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the Data Breach to Target or the public.”
The investigation into the breach revealed that Target’s systems were compromised from Nov. 27 to Dec. 15. The data breach, which also included the theft of information such as email and mailing addresses for millions of Target customers, was one of the biggest such incidents in recent history. In February, the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) reported that costs associated with the breach exceed $200 million. Much of that figure – $172 million – comes from the cost of replacing cards for CBA members, while CUNA reported that the cost to credit unions had reached $30.6 million.
“A recent analysis by global investment banking firm Jefferies suggests that payment card issuers could sustain upwards of $1 billion of damages as a result of the Target Data Breach based on an estimated 4.8 million to 7.2 million stolen and compromised Payment Cards being used to make fraudulent purchases and unauthorized cash withdrawals,” according to the complaint. “These costs fall on Trustmark and the other Class members, even though they had nothing to do with causing the Data Breach and could not have avoided it.”
The suit asks for unspecified damages.
Just last week, TrustWave announced that it had acquired Cenzic, Inc., a maker of application security testing solutions, for an undisclosed sum.