« Back to Case Finder

Key attorneys

Target Data Breach

Date Released: December 19, 2013
Court: U.S. District Court, Northern District of California
Type of Case: Consumer Rights
Status: Settled
Company Name: Target Corporation
Stock Symbol: NYSE: TGT

CASE SETTLED:

On Mar. 19, 2015 Target and lead counsel for the consumer cases, Heins Mills and Olsen, reached a tentative settlement in the case. If approved, affected consumers will be sent a class notice and instructions. There is no need for you to submit your information to Hagens Berman at this time.

Consumers represented by law firm Hagens Berman Sobol Shapiro LLP filed a proposed class-action lawsuit  on Jan. 14, 2014, against Target (NYSE: TGT) claiming the retail giant ignored warnings from as early as 2007 that the company’s point-of-sale (POS) system was vulnerable to attack, a move that put millions of Americans’ credit-cards and personal information at risk after the system was penetrated by unknown attackers on or about Nov. 17, 2013.

The lawsuit, filed in the U.S. District Court for the Northern District of California, claims that security expert Dr. Neal Krawetz alerted Target and other major national retail chains about its vulnerability to attack in a white paper outlining POS vulnerabilities at major retailers. The paper warned that security shortcomings in POS systems could put the financial information of consumers at risk. The white paper used Target as a specific example of the potential impact, estimating that as many as 58 million consumers could be at risk of account theft unless the retailer took steps to fix the issues.

The complaint alleges that a Target developer responsible for the retailer’s POS system was sent the white paper, acknowledged receiving it, and requested permission to send it to other Target employees. Attorneys claim that the developer also described Dr. Krawetz’s suggestions as “good ideas.” However, the lawsuit claims, Target ultimately failed to implement Dr. Krawetz’s proposed security fixes, and thus remained vulnerable to the attack that followed several years later.

The lawsuit also claims that Target was likely not compliant with industry standards for security, such as the PCI Data Security Standard (“PCI DSS”). For instance, the suit quotes an analyst who notes that three-digit CVV codes must have been stored in order for them to have been stolen, but storing CVV codes is a practice long banned by the PCI.

Attorneys allege that in addition to negligence prior to the security breach, Target repeatedly misled its customers about the nature and scale of the breach. For instance, the suit claims that Target initially stated that customers’ PIN numbers were not compromised, but later disclosed that the data had, in fact, been taken. Attorneys also claim that Target initially estimated only 40 million accounts were affected, but later appeared to state that in addition to account information for 40 million charge cards, the personal information of 70 million customers was also compromised. Customers whose charge account information was compromised, and whose personal information, such as name, address, phone number, and email were also stolen, are at a heightened risk of identity theft, according to attorneys.

The lawsuit is a proposed class action, and seeks to represent a class of all persons in the United States who used a credit or debit card at a Target store and whose financial or personal information was compromised. It claims that Target’s actions were negligent and additionally violated a number of state laws governing unfair business practices and the disclosure of security breaches.

Hagens Berman purchases advertisements on search engines, social media sites and other websites. If you send us information, note that does not create an attorney-client relationship with the firm.