N.Y. Bank Drops Lawsuit Against Target and Trustwave

By Sarah Todd March 31, 2014, 2:35 p.m. EDT 1 Min Read

Bank technology

Target Hackers Lurked for Months Before Pouncing at Holidays

The latest investigation into the massive data breach at Target has found that hackers entered the retailer's network by stealing a vendor's password and then patiently waited until the busy holiday season to strike.

By Penny Crosman

February 11
Analytics

Banks Sue Security Vendor Trustwave After Target Data Breach

The security vendor Trustwave has been accused of failing to identify security gaps at Target, according to a lawsuit filed by banks for damages suffered from the holiday season data breach.

By David Heun

March 25
Compliance

PCI Security Process Under Microscope as Breaches Mount

Many times, it seems, the best way for a company to learn whether it was compliant with the Payment Card Industry data security standard is to experience a data breach.

By David Heun

March 28

One of the two banks suing retailer Target and security vendor Trustwave in connection with the retailer's high-profile data breach has backed off.

Trustmark National Bank filed a notice of dismissal of its lawsuit on Friday in U.S. District Court in Chicago. The claims of co-defendant Green Bank still stand, the court clerk's office said Monday. Trustmark is based in New York City, and Green Bank is in Houston.

Trustmark and Green Bank filed a lawsuit against Target and Trustwave on March 24. The lenders sought at least $5 million in damages from the two firms, arguing that they had been unfairly saddled with the cost of cancelling and reissuing compromised cards "even though they had nothing to do with causing the data breach and could not have avoided it."

But Trustwave says that it too had nothing to do with the breach. The company did not provide data security services to Target, Trustwave Chief Executive Robert McCullen said in an open letter postedon the company's website on Saturday.

"Contrary to the misstated allegations... Target did not outsource its data security or IT obligations to Trustwave," McCullen wrote. "Trustwave did not monitor Target's network, nor did Trustwave process cardholder data to Target."

It was not clear why Trustmark and Green Bank believed there was basis to name Trustwave as a defendant in the case. Lawyers for the two lenders did not immediately return calls seeking comment.

Hackers stole payment card information from 40 million credit and debit cards over the course of two weeks in November and December, along with other personal information from 70 million customer records. Investigators have said that hackers cracked Target's network by using the password of its heating and air-conditioning supplier, Fazio Mechanical Services.

The lawsuit filed by Trustmark and Green Bank claims that Target failed to prioritize data safety, leaving its system vulnerable to the attack. It also claims that the retailer outsourced data security duties to Trustwave, relying on the vendor to ensure that its systems met Payment Card Industry Data Security Standard requirements. The requirements outline the steps companies must take in order to prevent the theft of payment card data.

Trustwave declined to comment further on the case. Target also declined to comment.

Sarah Todd

Deputy Editor, BankThink