Target’s holiday nightmare is going from bad to worse. The retailer, still reeling from a hacking attack that affected 40 million customers, is facing a new threat: a growing list of class action complaints that seek to punish the company for failing to protect shoppers’ data.
A review of federal court records shows that Target has been named in at least 40 different lawsuits across the country related to the data breach, which was reported by security researcher Brian Krebs on December 13 and confirmed by the company a few days later.
The lawsuits accuse Target of violating various state laws and of committing negligence in the way it handled customer data and reported the breach.
One complaint in Louisiana quotes an FTC report on identity theft to say that what the hackers obtained is as “good as gold.” In describing the harm from the breach, the lawsuits say that the affected customers will have to worry about data security for years.
While lawsuits are common in the wake of a major hacking incident, the sheer number of them in this case is unusual, and suggest Target could be on the hook for large sums of money.
Under the class action process, lawyers race each other up the courthouse stairs to file lawsuits, and then jockey afterwards for a share of the contingency payments that law firms typically receive when a company decides to settle. In this case, many firms appear to have decided that there’s blood in the water.
For now, Target and its customers are still digesting the implications of the breach, which was apparently masterminded by a Ukrainian. On Friday, the company confirmed that the hackers obtained debit card PIN numbers in the breach, but stressed this would not lead to harm because the PIN’s were encrypted.
Target has also posted a link on its homepage about the breach that tells customers what to do.
As for the customers themselves, they could receive a small payment in a few years once the legal dust settles.
Here’s a sample lawsuit from Utah: