Blog Post

Target hit with dozens of lawsuits over mass data breach

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Target’s(s tgt) holiday nightmare is going from bad to worse. The retailer, still reeling from a hacking attack that affected 40 million customers, is facing a new threat: a growing list of class action complaints that seek to punish the company for failing to protect shoppers’ data.

A review of federal court records shows that Target has been named in at least 40 different lawsuits across the country related to the data breach, which was reported by security researcher Brian Krebs on December 13 and confirmed by the company a few days later.

The lawsuits accuse Target of violating various state laws and of committing negligence in the way it handled customer data and reported the breach.

One complaint in Louisiana quotes an FTC report on identity theft to say that what the hackers obtained is as “good as gold.” In describing the harm from the breach, the lawsuits say that the affected customers will have to worry about data security for years.

While lawsuits are common in the wake of a major hacking incident, the sheer number of them in this case is unusual, and suggest Target could be on the hook for large sums of money.

Under the class action process, lawyers race each other up the courthouse stairs to file lawsuits, and then jockey afterwards for a share of the contingency payments that law firms typically receive when a company decides to settle. In this case, many firms appear to have decided that there’s blood in the water.

For now, Target and its customers are still digesting the implications of the breach, which was apparently masterminded by a Ukrainian. On Friday, the company confirmed that the hackers obtained debit card PIN numbers in the breach, but stressed this would not lead to harm because the PIN’s were encrypted.

Target has also posted a link on its homepage about the breach that tells customers what to do.

As for the customers themselves, they could receive a small payment in a few years once the legal dust settles.

Here’s a sample lawsuit from Utah:

Target Class Action Utah

[protected-iframe id=”36898110e2c3281bdb30f7ec195ce489-14960843-34118173″ info=”//” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

6 Responses to “Target hit with dozens of lawsuits over mass data breach”

  1. Nicholas Paredes

    Barely two months after getting a new card as a result of the Adobe breach, I have to get a new debit card from my bank. This is truly annoying, and the credit card companies know that Target tarnished their brands.

    If Target is found negligent, the big payments will be to MasterCard, Visa, etc…

  2. James Dempsey

    The problem is, Bob, many people used Debit cards, or had their Target Red Card info stolen; both are linked directly to a bank checking account where the thieves can easily spend the money quickly.

    Claiming fraud on a credit card is easy. As you found, you simply call, get a new card, and the CC company doesn’t pay the vendor for the goods. It’s a whole lot more difficult when the thief removes your cash from your bank account. Then you’re forced to fight to get your own money back from the bank – and that is not so easy. It can take months, or even years. Then think about what else might be linked to that debit card or checking account – all those accounts are now compromised.

  3. What is so difficult about canceling your credit card and having a new one issued? It took me all of 5 minutes. Beats all of the hand wringing and worry that someone might use my card for fraudulent purchases. Just cancel the card and move on! (and forget about your potential $8.57 windfall from the class action settlement)

  4. Target – or any other retailer – has no reason to store a credit card number after a transaction is complete, other than to use the credit card number to track a consumer. I.e., it’s all about them, not the consumer. And it’s not some kind of requirement, and not just an artifact of using credit cards. This is the result of a specific business process by Target (and other retailers) to data-mine their consumers for their own corporate gain. This is a totally self-inflicted wound from start to finish and Target deserves whatever they get slammed with. (I am excluding, of course, cases where the consumer has given the retailer permission to associate a credit card number with a ‘membership’ account profile. Consumers who do that should now be double aware of the risks.)

    • Wasn’t the ‘hack’ a piece of software that played man-in-the-middle and intercepted the mag strip read before passing it to the final server for processing (as well as the entered pin if was a debit card)?

      So, they weren’t actually ‘storing’ anything?