Target Corp. faces almost two dozen lawsuits filed by customers after a computer security breach exposed data on 40 million debit and credit cards.
Customers have filed complaints seeking group, or class-action, status for their suits in state and federal courts from the company's home state of Minnesota to California and New York. Most accuse Target of failing to protect their private information.
The information obtained during the breach "is a treasure trove for identity theft criminals who could use it to gain access to credit card and other private and valuable information about customers," one of the plaintiffs, Alfonso E. Alonso III of San Francisco, said in a complaint.
Industry insiders say credit union class actions may be on the way as well.
With the Christmas holiday, the $4.2 billion Pennsylvania State Employees CU in Harrisburg, Pa., has not had a chance to discuss any potential legal actions it might take. “But with nearly 30,000 cards to be reissued, we will certainly have costs,” said CEO Greg Smith.
Smith has read that the nature of this compromise may be even more serious, with the possibility that encrypted PINS were stolen. “That might enable the hackers to break the encryption key and lead to more losses via the ATM channel.”
PSECU still has an active case against the Heartland Corporation for the breach that occurred in 2008. “We’re back in District Court in Texas on that. The issue is negligence on the part of Heartland that led to the breach.”
Target said Dec. 19 that security for the cards may have been breached between Nov. 27 and Dec. 15 during purchases in stores. While the chain said it had identified and resolved the issue, the compromise occurred during the most important period of the year for retailers, with shoppers already showing reluctance to spend.
In a statement earlier this week, Target said it's unveiling a special website to communicate with customers. The retailer said "limited incidents" of fake communications claiming to be from the company prompted it to set up the dedicated channel for posting information about the breach.
Alonso said in a complaint filed Dec. 23 in federal court in Minneapolis that Target didn't notify consumers its computers' security was compromised until after the incident was reported in the media. That prevented customers from taking the necessary steps to protect against identity theft and fraud, he claimed.
He said he's a regular Target customer and bought items at the store during the breach period, including a scooter and a helmet he bought for $60.98 on Dec. 2 to donate to a children's charity.
Since disclosing the breakdown the Minneapolis-based company has agreed to give some shoppers free credit reporting, assured them they wouldn't be responsible for fraudulent charges and offered a 10 percent discount on purchases last weekend to regain their trust.
The company said General Counsel Tim Baer hosted a call for states attorneys general Dec. 23 to discuss the breach to "provide them with information about the issue and answer their questions as well as those of their constituents."
Massachusetts is among states probing the security breakdown.
The company also said it is "actively partnering" with the U.S. Department of Justice and the Secret Service on a continuing forensic and criminal probe. Neither entity is investigating Target, according to the statement.
Molly Snyder, a spokeswoman for Target, said the company "typically doesn't comment on pending litigation."
Ray Birch contributed reporting to this story
