Trustwave plans to fight "baseless allegations" over Target breach

Last week, Trustmark National Bank and Green Bank NA, filed a complaint in Chicago federal court accusing Target and Trustwave of failing to properly secure customer data, and enabling the theft of 110 million records, including 40 million credit cards.

Trustmark and Green Bank are seeking $5 million at least in unspecified damages, but said that losses could top $1 billion for the card issuers they're looking to represent (if class action status is approved), and more than $18 billion for banks and retailers.

According to the court documents, Trustwave is involved because they failed to adequately protect Target's network.

Trustwave scanned Target's computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target's computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave's watch.

Trustwave failed to live up to its promises or to meet industry standards. Trustwave's failings, in turn, allowed hackers to cause the data breach and to steal Target customers' PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the data breach to Target or the public.

The full court documents are available here.

In response to these claims, Trustwave's CEO, Robert J. McCullen, has issued a statement on the matter, promising that his company is prepared to go to court over this and fight. In addition, sources close to the matter have confirmed that Trustwave didn't offer any additional services to Target, something the statement touches on.

"Dear Customers and Business Partners,

As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target.

Our customers and business partners can continue to expect the quality and dedicated service Trustwave has provided them for almost 20 years."

In the aftermath of the Target breach, the company has lost its CIO, and other compounding problems including reputation setbacks, and lawsuits outside of this one. The fact this is the second time Target has been hit by such a breach makes things worse. But the charges against Trustwave are significant.

In interviews with CSO, Jacob Olcott, who manages the cybersecurity practice at Good Harbor Security Risk Management, and Lisa Sotto, chair of the global privacy and cybersecurity practice at Hunton & Williams, commented on the case.

"It's a significant development because auditors and security technology companies have never previously faced liability for failing to detect or mitigate breaches. It certainly raises the bar for auditors, who may modify their auditing practices to enhance the scrutiny of the companies they audit," said Olcott.

Some assessors are more "check the box" and less rigorous, while others are extremely thoroughly, Sutto said. Less diligent QSAs will sometimes cut corners in order to keep prices competitive. "The QSAs would be wise to pay attention to this and to ensure that there's appropriate rigor in their assessments," Sotto added.

"The cost pressure results in probably less time than may be needed to do an appropriate assessment."

Join the CSO newsletter!

Error: Please check your email address.

Tags trustwavesecurity

More about CSOTrustmarkTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts