A class action lawsuit suggests that Target knew about the POS vulnerability since 2007.
On Tuesday, law firm Hagens Berman Sobol Shapiro LLP announced that it has filed a proposed class-action lawsuit against recently-hacked retailer Target in the U.S. District Court for the Northern District of California. The firm claims that the retail giant ignored warnings from as early as 2007 that its point-of-sale (POS) system was vulnerable to attack.
The lawsuit, filed against Target on behalf of all the victims of the hack, alleges that security expert Dr. Neal Krawetz alerted Target -- along with other major national retail chains -- about its vulnerability to attack in a white paper outlining POS vulnerabilities at major retailers. This paper even used Target as a specific example of a potential attack, estimating back then that around 58 million customers would have their data stolen if the retailers didn't fix the outlined issues.
According to the complaint, a Target developer responsible for the POS system received the white paper and then asked if it could be sent to other Target executives. This developer also said that Dr. Krawetz had "good ideas," but ultimately the targeted retailer failed to implement those ideas, leaving Target vulnerable to attacks several years later.
"We believe that Target not only knew its systems were vulnerable to exactly this kind of attack all the way back in 2007, but was alerted to and acknowledged suggestions that would have made its customers safer," said Tom Loeser, a Hagens Berman partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys' Office in Los Angeles. "However, Target did not act on this knowledge, and as a result, tens of millions have had their personal information stolen and financial accounts compromised."
Target originally reported that hackers broke into the POS system and acquired names, credit card numbers, and encrypted PIN numbers of 40 million customers. The company then followed up with an update reporting that even more detail was stolen from 70 million customers including physical addresses, email addresses and phone numbers.
"Attorneys allege that in addition to negligence prior to the security breach, Target repeatedly misled its customers about the nature and scale of the breach. For instance, the suit claims that Target initially stated that customers' PIN numbers were not compromised, but later disclosed that the data had, in fact, been taken," the firm reports.
The lawsuit claims that Target's actions were negligent and "additionally violated a number of state laws governing unfair business practices and the disclosure of security breaches." The firm is hoping that this lawsuit will open the eyes of other retailers so that they will take customer data more seriously.