Beasley Allen, along with several law firms from around the country, is diligently prosecuting a class action lawsuit against Target on behalf of the financial institutions who bore the brunt of the credit card thefts that resulted from Target’s alleged negligence in failing to safeguard customer financial information. Despite Target’s attempt to keep the filing under wraps, the motion for class certification filed by financial institutions against Target for its role in the 2013 data breach was unsealed by the United States District Court in Minneapolis, Minn., with Judge Paul Magnuson presiding over the case on Thursday.
As demonstrated throughout the memorandum, the banks contend that the Target breach was a “foreseeable consequence of Target’s longstanding lackadaisical practices” and “substandard cybersecurity practices.” As a result, as many as 110 million customers had their personal or financial information compromised, including more than 40 million credit and debit cards.
The banks argue that “Target hired ill-equipped employees to oversee its data security systems, maintained woefully deficient security programs, repeatedly ignored pre-breach warnings about malware intrusions and took steps to limit employees’ ability to secure data in busy periods to avoid disrupting profits.”
The banks’ brief further contends that among other significant failures, Target disabled and removed key security features of Symantec, its anti-virus provider, and kept them disabled until after Black Friday. According to the banks, Target installed FireEye, a cybersecurity application, but failed to implement its malware prevention features and failed to integrate FireEye into its alert generating system. Further, Target implemented a “system freeze” from October 2013 to January 2014 making it more difficult to make any changes to Target’s computer systems “during seasons where Target generated the most revenue,” the banks claim.
The banks explained that once the breach began, Target ignored warnings about the intrusion as early as Nov. 25, 2013, when Target received an alert for unauthorized activity on its point-of-sale (POS) terminals. The alert led a Target Security Operations Center employee to note in an email, “Funny thing was that this one looked kinda suspicious to me. Looks like someone’s using a service account to access all the registers in one store.” Target received alerts the next day, Nov. 26, and several days afterward; however, it failed to act until it was contacted by the U.S. Secret Service on Dec. 12, 2013.
Even prior to the breach, the banks claim in their brief that Target failed to secure its customers’ financial information. A former Target group manager “testified that in April of 2012, Target discovered unencrypted payment card information dating back ‘at least six or seven years’ on servers” in nearly 300 Target stores. “Despite finding this unencrypted data, Target failed to take any action…for nearly six months until the end of September 2012.”
“[W]orse, Target continued to retain unencrypted payment card data on its system. Specifically, unencrypted card data dating back almost 10 years was found in plain text on Target’s servers during the investigation of the breach,” the banks stated.
Beasley Allen’s Dee Miles, who was appointed by Judge Paul Magnuson to the Plaintiff’s Leadership Committee representing the banks, observed “within days of the Court publishing the true facts of the case against Target revealing what appears to be ‘gross negligence’ on the part of Target, Target announced publicly that it has been privately negotiating with a third party, VISA, to use something called the ‘GCAR’ Resolution Program to settle losses the banks may have incurred. However, Target’s offer is literally pennies on the dollar and is grossly inadequate to compensate banks for their actual losses, especially under the facts that have now been revealed.” Miles and the Plaintiff’s Leadership Committee have notified the banks of these issues and are urging the banks to NOT sign any documents whatsoever in relation to any funds VISA sends to them in relation to the Target breach.
“Target’s secret negotiation with VISA is a real attempt to undermine the class action and the Court system,” said Miles. “We are hopeful that the banks will see Target’s attempt for what it actually is…an attempt to cheat them out of their true losses.”
Target announced that its deadline for banks to participate in their GCAR Program is Sept. 4, 2015. The hearing on the class certification to take place in the federal district court in Minnesota is scheduled for Sept. 13, 2015 before Judge Paul Magnuson.