Security vendor Trustwave was accused in a class-action suit of failing to detect the attack that led to Target's data breach, one of the largest on record.
Target, which is also named as a defendant, outsourced its data security obligations to Trustwave, which "failed to live up to its promises or to meet industry standards," alleged the suit, filed Monday in U.S. District Court for the Northern District of Illinois.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Plaintiffs Trustmark National Bank of New York and Green Bank of Houston claim Target and Trustwave failed to stop the theft of 40 million payment card details and 70 million other personal records.
The lawsuit, one of dozens filed against Target, illustrates the growing frustration of banks burdened with the costs of reissuing compromised cards and their willingness to pull in other companies viewed as culpable into legal battles.
Support agreements between companies and security vendors are often confidential, and it was not clear from the suit how the banks determined Trustwave was one of Target's contractors.
A Trustwave spokeswoman said Tuesday via email the company doesn't confirm its customers or comment on pending legal matters. Target also said it also does not comment on pending litigation.
The suit contends Target retained Trustwave to monitor its computer systems and ensure compliance with PCI-DSS, an industry security recommendation pushed by MasterCard and Visa to protect cardholder data from leaking.
Trustwave claims on its website to provide guidance to millions of businesses for compliance with PCI standards with testing and assessment teams. Trustwave scanned Target's network on Sept. 20, 2013 and told Target no vulnerabilities were found, the suit alleges.
Target has said it believed attackers stole the data between Nov. 27, 2013, and Dec. 15, 2013, via malicious software installed on point-of-sale devices. The malware collected unencrypted payment card details after a card was swiped and briefly held in a computer's memory, capitalizing on a unknown weakness despite years of efforts to harden payment systems.
U.S. banks have spent more than $172 million reissuing cards, the suit said, citing figures from the Consumer Banker Association. The total cost of the breach to retailers and banks could exceed $18 billion, the suit claims.
The suit, which asks for a jury trial, seeks unspecified compensatory and statutory damages.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk