Hagens Berman Reminds Consumers Class Action Lawsuit against Target Stores for Data Breach Affecting 70 Million Consumers

Jan 28, 2014

SEATTLE – Hagens Berman Sobol Shapiro LLP, a leading consumer-rights law firm filed a class-action lawsuit on Jan. 14, 2014 against Target (NYSE: TGT) claiming the retail giant ignored warnings from as early as 2007 that the company’s point-of-sale (POS) system was vulnerable to attack, a move that put more than 70 million of Americans’ credit and debit card records and personal information at risk after the system was penetrated by attackers on or about Nov. 17, 2013, compromising the accounts of at least 1.1 million cards.

The lawsuit, filed by Hagens Berman in the U.S. District Court for the Northern District of California, claims that security expert Dr. Neal Krawetz alerted Target and other major national retail chains about its vulnerability to attack in a white paper outlining POS vulnerabilities at major retailers. The paper warned that security shortcomings in POS systems could put the financial information of consumers at risk. The paper warned that security shortcomings in POS systems could put the financial information of consumers at risk.

The complaint alleges that a Target developer responsible for the retailer’s POS system was sent the white paper, acknowledged receiving it, and requested permission to send it to other Target employees. Attorneys claim that the developer also described Dr. Krawetz’s suggestions as “good ideas.” However, the lawsuit claims, Target ultimately failed to implement Dr. Krawetz’s proposed security fixes, and thus remained vulnerable to the attack that followed several years later.

“We plan to introduce evidence that shows that Target was aware its sales systems were vulnerable to precisely the kind of attack that happened during the holiday season,” said Tom Loeser, a Hagens Berman Partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys’ Office in Los Angeles. “But the retail chain failed to act, which has resulted in more than one million compromised credit and debit card accounts as well as stress from countless other consumers about their identities and personal information.”

The lawsuit also claims that Target was likely not compliant with industry standards for security, such as the PCI Data Security Standard (“PCI DSS”). For instance, the suit quotes an analyst who notes that three-digit CVV codes must have been stored in order for them to have been stolen, but storing CVV codes is a practice long banned by the PCI.

Attorneys allege that in addition to negligence prior to the security breach, Target repeatedly misled its customers about the nature and scale of the breach. For instance, the suit claims that Target initially stated that customers’ PIN numbers were not compromised, but later disclosed that the data had, in fact, been taken. Attorneys also claim that Target initially estimated only 40 million accounts were affected, but later appeared to state that in addition to account information for 40 million charge cards, the personal information of 70 million customers was also compromised. Customers whose charge account information was compromised, and whose personal information, such as name, address, phone number, and email were also stolen, are at a heightened risk of identity theft, according to attorneys.

“Millions of customers have been affected by this data breach nationwide,” said Hagens Berman Managing Partner Steve Berman. “Yet, Target’s response to this widespread compromise of personal information has been delayed for the company’s own interests.”

“Not only did Target fail to quickly disclose notice of the data breach to consumers – the retail chain also sought to minimize the effect the data breach would have on its holiday sales by disclosing the breach only on its corporate website and not disclosing that customer PIN numbers had also been stolen,” Berman continued.

“Target and other major retail chains need to realize the importance of protecting consumer information,” Berman said. “We hope that this lawsuit will serve to improve this protocol and encourage stricter and safer guidelines and swifter action to help protect consumer information and privacy.” 

The lawsuit is a proposed class action, and seeks to represent a class of all persons in the United States who used a credit or debit card at a Target store and whose financial or personal information was compromised. It claims that Target’s actions were negligent and additionally violated a number of state laws governing unfair business practices and the disclosure of security breaches.

# # #

About Hagens Berman
Hagens Berman Sobol Shapiro LLP is a consumer-rights class-action law firm with offices in ten cities. The firm has been named to the National Law Journal’s Plaintiffs’ Hot List eight times. More about the law firm and its successes can be found at www.hbsslaw.com. Follow the firm for updates and news at @ClassActionLaw.

Media Contact
Ashley Klann
[email protected]
206-268-9363

Hagens Berman purchases advertisements on search engines, social media sites and other websites. Transmission of the information contained or available through this website is not intended to create, and receipt does not constitute, an attorney-client relationship. If you seek legal advice or representation by Hagens Berman, you must first enter a formal agreement. All information contained in any transmission is confidential and Hagens Berman agrees to protect information against unauthorized use, publication or disclosure. This site is regulated by the Washington Rules of Professional Conduct.