14 DAY TRIAL // Last week, Trustmark National Bank and Green Bank, on behalf of themselves and other financial institutions, filed a lawsuit against Target, the US retailer that suffered a massive data breach last year. IT security firm Trustwave has also been named in the suit, but the company denies being responsible in any way for the incident.
In the class action, Target is accused of failing to protect its customers’ personally identifiable information even after being warned by third parties of the existence of major vulnerabilities in its system.
The plaintiffs allege that at the time of the breach, the retailer was not in compliance with the Plastic Card Security Act, the PCI DSS, the Red Flag Rules or the Card Operating Regulations.
As far as Trustwave is concerned, the financial institutions claim that Target outsourced its data security obligations to the security company.
“Upon information and belief, Target retained Trustwave during the relevant period of time to protect and monitor Target's computer systems, and to bring Target's systems into compliance with PCI DSS and other industry standards for protecting customers' PII and sensitive payment card information,” the complaint reads.
The complaint also claims that Trustwave scanned Target’s computer systems on September 20, 2013, but couldn’t find any vulnerabilities.
“To the contrary, however, and as reported by the The New York Times, Target kept credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target's network,” the plaintiffs wrote.
They claim that Target was breached because of the vulnerabilities “undetected or ignored” by Trustwave.
In response to the allegations, Trustwave’s CEO Robert McCullen published the following statement:
“In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.”
“Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target,” McCullen added.
“Our customers and business partners can continue to expect the quality and dedicated service Trustwave has provided them for almost 20 years.”
McCullen hasn’t clarified the role of his company in all of this, but we’ll probably find out during the trial. In any case, if Trustwave has provided compliance services to Target, as SecurityWeek highlights, compliance doesn’t equal security.