In rare move, banks sue Target's security auditor
Trustwave failed to fulfill its obligations, complaint alleges
Computerworld - Two banks that claim to have suffered losses from the recent data breach at Target have sued Trustwave Holdings Inc., the company that was responsible for validating Target's compliance with the Payment Card Industry Data Security Standard.
In a lawsuit filed in federal court in Chicago, Trustmark National Bank and Green Bank N.A, sued both Target and Trustwave for not doing enough to protect customer payment card data. The lawsuit, which seeks class action status, accused both companies of negligence, deceptive practices, negligent misrepresentation and other misdeeds.
The suit seeks compensatory and statutory damages for what the banks claimed were the losses they sustained in canceling and reissuing credit and debit cards that were exposed in the Target data breach.
A Trustwave spokesman declined comment on the lawsuit. "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters."
The lawsuit is one of the rare occasions where a PCI security auditor has been sued over a data breach involving a client.
Companies like Trustwave are called qualified security assessors (QSAs) in PCI parlance. They are responsible for conducting security assessments of retailers and others covered by the PCI standard. In Trustwave's case, the company also provides a range of security services to help companies achieve PCI compliance status.
Large companies like Target are required to go through onsite PCI security audits every year and must perform vulnerability scans of their networks at least once each quarter. Companies that fail to attain or maintain PCI compliance can face big fines in the event they are breached, as Target was.
In recent years, many businesses that suffered major data breaches have claimed they were compromised despite being certified as fully PCI compliant by a QSA. Their complaints have prompted questions about the effectiveness of PCI security controls and the compliance validation process in particular.
Some have even suggested that PCI assessors should be held accountable to a certain extent, if a company they certify as being PCI compliant later suffers a data breach.
However, the PCI Security Standards Council, which administers the standard, has dismissed such claims and has insisted that a company cannot have been compliant if it was breached.
The latest lawsuit by the two banks could bring such issues to the fore.
The 48-page complaint accuses Trustwave and Target of failing in their duty to protect sensitive customer data despite knowing about risks to the data from malicious attackers. It noted that the data breach happened only because Target failed to adhere to established industry standards for securing payment card data.
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!