|
|
Target claims no responsibility for 'Black Friday' data theft in court
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
Five banks are suing retailer Target over the infamous "Black Friday" data breach in a federal lawsuit. In a hearing yesterday before US District Judge Paul Magnuson, Target claimed that the bank's losses weren't the retailer's fault, as they happened at the point of sale in many stores that the corporation claims it is not responsible for, as opposed to a central failure in corporate data services - therefore, the Minnesota and US Plastic Card Security Act provisions don't apply.
First Federal Savings, Village Bank, Umpqua Bank, Mutual Bank, and CSE Federal Credit Union launched the lawsuit, as each lost $5 million or more. Target claims that the use of third-party processors insulates it against the suit, and has argued that the suit should be dismissed.
India-based researchers found evidence of the breach that spanned November 29 through December 15, 2013 after examining logs, and informed Target headquarters on November 30, 2013. Additional malware was discovered by the company's own security software on December 2. A series of alarms were issued by the software with a highest-priority warning associated, all of which were ignored by Target security personnel.
Compounding the problem, the software's automatic malware-removal features had been disabled by Target security in the months prior to the intrusion. The malware installation was detected so early, that it had not begun to transmit its payload -- customer data -- back to its creators. Timely action by Target's security staff in pruning the malware would have prevented the entire incident from happening, and would have saved Target millions in corrective actions.
Under the Plastic Card Security Act, any business entity operating in Minnesota is prohibited from storing security codes, PIN codes, or the full contents of any track of magnetic stripe data from customers' debit or credit cards for more than 48 hours after authorization of a transaction. Failure to comply makes a retailer liable for any theft of this data. Target argues that the third-party payment processors are responsible for the breach, so it has no liability, and no obligation to secure this data.
The lawyer for the banks, Karl Cambronne, told the judge that his clients "reject the notion that this case is all about the obvious, that is, the bad guys hacked into the system. Twice the Visa and Mastercard system had warned Target this malware is out there and you are not protected from it."
Magnuson has not yet ruled on the argument by Target.
(
Last edited by NewsPoster; Nov 24, 2014 at 07:57 AM.
)
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Mar 2008
Status:
Offline
|
|
Target should be made liable. Only then will they learn their lesson. And hopefully then, they will allow Apple Pay - which is much more secure than their system - for purchases in stores.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Apr 2010
Location: Prescott, AZ
Status:
Offline
|
|
I can see this getting complicated, but reading what is presented here it certainly sounds like target was responsible for curating the CC terminals. So even if they don't own them, or whatever the argument is, it sounds like they have to share responsibility. Too many paws in the pot IMO. Enough that there should be a cash discount everywhere.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status:
Offline
|
|
"spanned November 29 through December 15, 2014" I see we're using some time travel to see what will be happening. I assume you meant 2013 but you made the same error twice. Target, and all other retailers, need to take ownership for the equipment used in their facilities. This includes their cash register systems. They are liable for everything else in the store (shelves falling, fires, bathrooms flooding, people tripping on gum on the floor) so why do they think they shouldn't be responsible for their computer systems, including the cash registers? Spend some of that profit on the cash registers instead of worthless advertising. I know a lot of people stopped going to Target after this issue. They lost a lot of sales because of this.
|
|
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
Yeah, 2013.
Stupid Saturday shift.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2008
Location: So. Cal.
Status:
Offline
|
|
No responsibility!!! You have got to be kidding! They share responsibility with the terminal and processing owners though. Plus they held back announcing the breach. Now they disabled Apple Pay at the POS terminals, which is the most secure method of payment. And they are testing CurrentC, which already has had a data breach. Target is definitely going the wrong route and not thinking of the customers best interests.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jun 2000
Location: Philadelphia, PA
Status:
Offline
|
|
"Additional malware was discovered by [Target]'s own security software on December 2. A series of alarms were issued by the software with a highest-priority warning associated, all of which were ignored by Target security personnel."
If this is correct and Target knew there was a problem and ignored it, then that's negligence, plain and simple. I don't see how they can possibly argue that they're not at fault here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|