Banks file lawsuit against Trustwave for Target data breach

Vulnerabilities were either "undetected or ignored by Trustwave", claim banks

Banks have filed a lawsuit against security firm Trustwave for failing to spot security gaps at US retailer Target, which led to a disastrous data breach that affected millions of customers.

Hackers are believed to have stolen 40 million credit and debit customer records and 70 million other customer records from Target.

Trustmark National Bank and Green Bank N.A. are seeking damages of more than $5m (£3m) and have named Trustwave and Target as defendants, the American Banker reported.

The lawsuit is just one of nearly 100 that are reported to have been filed by Target customers or banks as a result of the breach.

In their complaint, the banks state that Trustwave has "performed more Payment Card Industry Data Security Standard (PCI DSS) certifications than all other companies combined". The standard aims to ensure that retailers adequately protect card payments data.

Major credit card companies such as Visa, MasterCard and American Express all require retailers to comply with the PCI standard, and the banks claim that Target was likely out of compliance with the standard because reports suggest that the hack went unnoticed for more than two weeks.

The banks state that Trustwave believes it has "deep expertise in PCI compliance", but they claim that Trustwave told Target on September 20, 2013 that its systems had no vulnerabilities, and that vulnerabilities were "either undetected or ignored by Trustwave".

The lawsuit estimates that the banks will spend about $172m (£104m) combined in reissuing credit and debit cards, and their total losses, which take into account fraudulent charges, could hit $18bn (£11bn).

A report from security firm Kaspersky Lab's news service, Threatpost, suggested more than two years ago that the PCI DSS standard is not enough to stop an attacker from retrieving card payment details.

Ironically, in the same report, Rob Havelt, director of penetration testing at the defendant Trustwave's SpiderLabs, said that PCI-compliant networks are easy to attack because of other vulnerabilities in an organisation's network.

He said that an opening part of the attack scenario could include an address resolution protocol (ARP)-spoofing attack, which is a technique where an attacker sends false address resolution protocol messages onto a local area network.

This would give the attacker access to some of the network's traffic, allowing them to understand the way the network operated and therefore locate where the sensitive data is stored.

"We still don't have ARP spoofing figured out. It's simple to do and it can be devastating," he had said.

Earlier this month, the CIO of Target, Beth Jacob, resigned as the company looked to restructure its security and compliance division following the data breach.