Last week, Trustmark National Bank and Green Bank NA, filed a complaint in Chicago federal court accusing Target and Trustwave of failing to properly secure customer data, and enabling the theft of 110 million records, including 40 million credit cards.
Trustmark and Green Bank are seeking $5 million at least in unspecified damages, but said that losses could top $1 billion for the card issuers they're looking to represent (if class action status is approved), and more than $18 billion for banks and retailers.
According to the court documents, Trustwave is involved because they failed to adequately protect Target's network.
Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch.
Trustwave failed to live up to its promises or to meet industry standards. Trustwave's failings, in turn, allowed hackers to cause the data breach and to steal Target customers' PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the data breach to Target or the public.
The full court documents are available here.
In response to these claims, Trustwave's CEO, Robert J. McCullen, has issued a statement on the matter, promising that his company is prepared to go to court over this and fight. In addition, sources close to the matter have confirmed that Trustwave didn't offer any additional services to Target, something the statement touches on.
"Dear Customers and Business Partners,
As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.
In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.
Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target.
Our customers and business partners can continue to expect the quality and dedicated service Trustwave has provided them for almost 20 years."
In the aftermath of the Target breach, the company has lost its CIO, and other compounding problems including reputation setbacks, and lawsuits outside of this one. The fact this is the second time Target has been hit by such a breach makes things worse. But the charges against Trustwave are significant.
In interviews with CSO, Jacob Olcott, who manages the cybersecurity practice at Good Harbor Security Risk Management, and Lisa Sotto, chair of the global privacy and cybersecurity practice at Hunton & Williams, commented on the case.
"It's a significant development because auditors and security technology companies have never previously faced liability for failing to detect or mitigate breaches. It certainly raises the bar for auditors, who may modify their auditing practices to enhance the scrutiny of the companies they audit," said Olcott.
Some assessors are more "check the box" and less rigorous, while others are extremely thoroughly, Sutto said. Less diligent QSAs will sometimes cut corners in order to keep prices competitive. "The QSAs would be wise to pay attention to this and to ensure that there's appropriate rigor in their assessments," Sotto added.
"The cost pressure results in probably less time than may be needed to do an appropriate assessment."