Target and Trustwave Sued Over Credit Card Breach

← Back to Stories (view on slashdot.org)

Target and Trustwave Sued Over Credit Card Breach

Posted by Unknown on Wednesday March 26, 2014 @04:39AM from the kill-the-auditor dept.

jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

13 of 87 comments (clear)

Min score:

Reason:

Sort:

Sad to see it takes a lawsuit ... by UnknownSoldier · 2014-03-26 04:46 · Score: 4, Insightful

... for companies to get their shit together about their lax security policies.
It is too bad temp credit cards (1-time use, 3-time use) aren't more practical.
1. Re:Sad to see it takes a lawsuit ... by sconeu · 2014-03-26 05:05 · Score: 4, Informative
  
  AMEX used to provide this for on-line purchases. Alas, they discontinued about 7 or 8 years ago.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:Sad to see it takes a lawsuit ... by lgw · 2014-03-26 06:00 · Score: 2
  
  In Target's case, vulnerabilities were found, were reported, were ignored,
  In Target's case the intrusion was found, automatically reported, and ignored, weeks before the actual theft of CC numbers.
  This has all the makings of a "gross negligence" tort, which is the criminal justice system for corporations.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Banks are responsible too by hawguy · 2014-03-26 04:52 · Score: 4, Insightful

Banks hold some of the responsibility too -- why are they still issuing cards with 1970's era magstripe technology that is so easily intercepted and stolen? They claim that the merchants don't want to pay to install new credit card readers, yet only the banks have the power to force it on them (through fee penalties for those still use magstripes, or an outright mandate requiring new scanners). Even merchants that *want* to use safer technology can't do anything to make the banks issue the new cards.
1. Re:Banks are responsible too by brunes69 · 2014-03-26 05:11 · Score: 3
  
  The banks ARE making moves here.
  All card terminals in the US need to accept chip & PIN by 2015 because the banks will be mandating it. It's coming like a tidal wave and US retailers are turning a blind eye, hopefully the banks and Visa/MC hold steadfast in the requirement.
  It should be embarrassing to the USA that every single other OECD nation on the planet switched to Chip & PIN 5-10 years ago. The USA does not always HAVE to be different. Sometimes going with the flow is the more intelligent choice.
2. Re:Banks are responsible too by way2trivial · 2014-03-26 05:24 · Score: 4, Interesting
  
  Not precisely correct.
  Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.
  Liability shift, will now be on one of two entities.
  The merchant, for not having the terminal, or the consumer, for not protecting their pin.
  the liability also shifts almost 100% OFF the card issuing bank....
  (the real reason)
  
  --
  every day http://en.wikipedia.org/wiki/Special:Random
3. Re:Banks are responsible too by brunes69 · 2014-03-26 05:32 · Score: 2
  
  .. and all customers will have chipped cards by October.
4. Re:Banks are responsible too by hawguy · 2014-03-26 06:03 · Score: 2
  
  Target doesn't want to ditch the magstripe. They do incredible amounts of data mining based off of data on the magstripe.
  See: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.
  Chip-and-Pin doesn't provide magstripe data to Target. Target can't build its demographic data. That's going to hurt sales.
  If that's the case, they'll just have to do it the old fashioned way -- with affinity cards "Swipe your TargetPoints card and save $$$!".
  It's not necessarily the case that chip-and-pin removes the ability for merchants to do customer tracking -- just because the card number is encrypted and protected doesn't mean that no unique identifying information is sent in the clear to let a merchant recognize a returning customer.
5. Re:Banks are responsible too by rsborg · 2014-03-26 06:21 · Score: 2
  
  Not precisely correct.
  Chip & pin is coming, it's not mandatory on merchants (yet) but if fraud is indicated and the merchant failed to have a chip terminal, and the customer has a chipped card the merchant will lose the chargeback automatically.
  Liability shift, will now be on one of two entities.
  The merchant, for not having the terminal, or the consumer, for not protecting their pin.
  the liability also shifts almost 100% OFF the card issuing bank....
  (the real reason)
  I wonder how this will impact online payments - how will chip/pin be supported there?
  Given most of my CC activity is online, I fathom this is a huge loophole to the new security structure...
  
  --
  Make sure everyone's vote counts: Verified Voting
6. Re:Banks are responsible too by Anonymous Coward · 2014-03-26 06:31 · Score: 2, Interesting
  
  All this despite the fact that chip+pin is just as vulnerable as swipe+sign, and nobody here wants it except the banks.
  Putting the liability on anyone other than the bank is just bullshit, and I, for one, will refuse to support it for as long as I possibly can. Here's why:
  The merchant and the buyer don't know each other. The bank knows the buyer. The bank knows the merchant. Thus the bank is the only one qualified to authorize the transaction. If either of the other parties says that the agreement was not upheld to their satisfaction, it's the bank's job to arbitrate, judge, and carry out a decision about the transaction. Thus all onus must be on the bank. And if the bank made a bad call by doing business with a crook (either by issuing them a card or by allowing a fraudulent transaction to pass as valid), then the bank must be on the hook for the transaction. Chip+pin is the banks' way of dodging their responsibility. I refuse to let them off with that free pass without as much of a fight as I can muster.
7. Re:Banks are responsible too by Anonymous Coward · 2014-03-26 06:41 · Score: 2, Insightful
  
  Speaking as a Canadian with chip&pin credit cards that have been used on-line, chip & pin isn't supported.
  You key your credit card number in 1 field
  You key your 3 digit "security code" (printed on the back of the card) in a different field.
  You don't use your personal pin anywhere on-line to purchase things ... and of course the chip doesn't come into play at all.
SSDD by Wookact · 2014-03-26 04:53 · Score: 3, Insightful

I am surprised it took this long for the lawyers to get geared up
Re:Mandatory arbitration? by Overzeetop · 2014-03-26 05:20 · Score: 3, Insightful

I would have thought a coupon for a free pizza a drink would have been enough. It's not like Target blew up a town, they just lost some CC#s. On second thought, maybe just a free drink with your next purchase.

--
Is it just my observation, or are there way too many stupid people in the world?