Consumers represented by Hagens Berman Sobol Shapiro filed a class-action lawsuit on Tuesday against Target, alleging the retailer ignored earlier warnings that the company’s point-of-sale systems were vulnerable to cyberattacks.
The suit—filed in the U.S. District Court for the Northern District of California—alleges that security expert Neal Krawetz notified Target and other major retailers of their vulnerability to attack in a 2007 white paper outlining POS risks at national retailers.
The paper, which cited Target as a specific example, warned that a lack of security in POS systems could jeopardize consumer financial information and estimated that as many as 58 million consumers could be at risk for data theft unless the retailer remedied the issues.
Defendants said in the complaint that a Target developer responsible for oversight of the company’s POS systems acknowledged having received the paper and requested permission to send it to other company employees. The suit alleges, however, that Target failed to implement Krawetz’s recommendations, leaving the retailer vulnerable.
“We believe that Target not only knew its systems were vulnerable to exactly this kind of attack all the way back in 2007, but was alerted to and acknowledged suggestions that would have made its customers safer,” Tom Loeser, a Hagens Berman Partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys’ Office in Los Angeles, said. “However, Target did not act on this knowledge, and as a result, tens of millions have had their personal information stolen and financial accounts compromised.”
The complaint also alleged that Target was likely non-compliant with industry data security standards, pointing to a statement from an analyst that said three-digit CVV codes on the back of credit and debit cards must have been stored in order to have been stolen, though the PCI Data Security Standard bans the practice.
Additionally, attorneys allege that Target repeatedly misled customers about the scope and nature of the breach. Target initially said only 40 million customer accounts may have been affected but later announced as many as 70 million customers may have been affected by the breach.
“It is our hope that this lawsuit will cause Target and other major retail chains that handle the personal and financial information of millions of Americans to take data theft seriously and continuously improve their security to meet the increasing threat from data breach attacks,” Hagens Berman Managing Partner Steve Berman said. “Target chose to save millions by not implementing adequate data protection protocols, and we believe those savings should be used to compensate Target customers for the costs, frustration, and countless hours of lost productivity that resulted.”