Target guilty of massive $30m data breach


Target is to blame for a data breach that saw 70 million customer records stolen a year ago, a judge has ruled, paving the way for a flurry of lawsuits from banks seeking to recover their losses.

The retailer suffered a huge data hack over November and December 2013, in which the details of 40 million credit cards were stolen by cyber criminals who infected store payment systems with malware.

A year on, Minnesota district court judge Paul Magnuson has ruled that Target was negligent in the holiday breach.

He referred to the fact the retailer had ignored alerts from its $1.6 million early-warning system provided by FireEye, as well as referring to the company purposefully disabling security software that could have thwarted the attack.

He said: "Although the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.

"Plaintiffs' allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.

"Target held itself out as having secure data systems when Target knew that it did not have secure systems and had taken affirmative steps to make its systems more vulnerable to attack."

Target was also guilty of having inadequate network sequestration, which enabled hackers to access the point-of-sale network using an external contractor's details.

The ruling clears the way for banks to sue the retailer for their losses in the $30 million incident, following heated debates between unions representing retailers and banks.

The National Retail Federation and the Retail Industry Leaders Association claims data breach costs should be shared between retailers and banks because retailers spend an alleged $6 billion a year on data security.

This was rebutted by Credit Union National Association CEO, Jim Nussle, who said: "In our most recent survey, released just yesterday, credit unions told us that - to date - they have received no reimbursements for the Target breach, now more than 10 months after the breach occurred. "In short, we'll back off highlighting the costs of data breaches on credit unions when merchants step up and take responsibility, adopt the same data standards, and stop making consumers vulnerable."