In rare move, banks sue Target's security auditor

Trustwave failed to fulfill its obligations, complaint alleges

Two banks that claim to have suffered losses from the recent data breach at Target have sued Trustwave Holdings Inc., the company that was responsible for validating Target's compliance with the Payment Card Industry Data Security Standard.

In a lawsuit filed in federal court in Chicago, Trustmark National Bank and Green Bank N.A, sued both Target and Trustwave for not doing enough to protect customer payment card data. The lawsuit, which seeks class action status, accused both companies of negligence, deceptive practices, negligent misrepresentation and other misdeeds.

The suit seeks compensatory and statutory damages for what the banks claimed were the losses they sustained in canceling and reissuing credit and debit cards that were exposed in the Target data breach.

A Trustwave spokesman declined comment on the lawsuit. "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers and not to comment on pending legal matters."

The lawsuit is one of the rare occasions where a PCI security auditor has been sued over a data breach involving a client.

Companies like Trustwave are called qualified security assessors (QSAs) in PCI parlance. They are responsible for conducting security assessments of retailers and others covered by the PCI standard. In Trustwave's case, the company also provides a range of security services to help companies achieve PCI compliance status.

Large companies like Target are required to go through onsite PCI security audits every year and must perform vulnerability scans of their networks at least once each quarter. Companies that fail to attain or maintain PCI compliance can face big fines in the event they are breached, as Target was.

In recent years, many businesses that suffered major data breaches have claimed they were compromised despite being certified as fully PCI compliant by a QSA. Their complaints have prompted questions about the effectiveness of PCI security controls and the compliance validation process in particular.

Some have even suggested that PCI assessors should be held accountable to a certain extent, if a company they certify as being PCI compliant later suffers a data breach.

However, the PCI Security Standards Council, which administers the standard, has dismissed such claims and has insisted that a company cannot have been compliant if it was breached.

The latest lawsuit by the two banks could bring such issues to the fore.

The 48-page complaint accuses Trustwave and Target of failing in their duty to protect sensitive customer data despite knowing about risks to the data from malicious attackers. It noted that the data breach happened only because Target failed to adhere to established industry standards for securing payment card data.

The complaint also states that Target outsourced several key security monitoring and management tasks to Trustwave, which then failed to live up to its obligations as a third-party security service provider.

Though Trustwave repeatedly touted its skills as a PCI auditor and a PCI security service provider, the company failed to identify the vulnerabilities in Target's networks that led to the breach, the complaint alleged. Just two months before the breach, Trustwave scanned Target's network and informed the retailer that there were no vulnerabilities present when in fact there were multiple problems.

"Because of these vulnerabilities in Target's security systems -- either undetected or ignored by Trustwave -- hackers were able to take 40 million payment card records, encrypted PINs, and 70 million records containing Target customer information over the course of two weeks," the complaint stated.

Trustwave also provided round-the-clock network monitoring services for Target yet failed to detect the intrusion into the company's networks for a full three weeks.

"Trustwave failed to live up to its promises, or to meet industry standards. Trustwave's failings, in turn, allowed hackers to cause the data breach and to steal Target customers' PII and sensitive payment card information," the two banks claimed.

Jim Huguelet, an independent retail security consultant, said blaming a QSA for a customer breach is somewhat disingenuous.

QSAs, like most auditors, are largely dependent on the information provided to them by clients, he said. If Target did not accurately communicate the details of its network access practices and security controls, Trustwave would have had a hard time finding those details on its own, without extensive and expensive testing.

"If a QSA wants to deeply, independently validate the information that is provided to them by brick-and-mortar retailers with large store footprints, the costs to do this will move from the five- and low six-digit range each year to the high-six and low seven-digit range. Retailers will push back hard."

Any QSA that insists on doing really deep-dive audits will quickly find itself priced out of the market by rivals willing to do a more perfunctory audit for substantially less, he said.

This article, In rare move, banks sue Target's security auditor, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetretaildata securitytrustwavesecuritylegalindustry verticalsdata protection

More about Inc.TopicTrustmarkTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place