Banks drop Target breach lawsuit amid Trustwave liability questions
Two banks have suddenly dropped what was expected to be a precedent-setting lawsuit related to the massive data breach at Target Corp., perhaps temporarily sparing the retailer's audit firm, Trustwave Holdings Inc., from being held liable for its client's breach.
They're all PCI compliant, and they're all being breached.Michael Scheidell,
Managing Director, Security Privateers
In the lawsuit, which was filed on March 25 in Chicago's U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, the Minneapolis-based retailer was blamed for the weeks-long data breach, which occurred during the 2013 holiday shopping period. The breach resulted in the theft of approximately 40 million credit and debit card numbers, as well as the personal information of 70 million customers.
Unusually, the banks also sought to pin liability on Trustwave, one of the most prominent PCI DSS compliance assessment firms in the industry, alleging that Target had contracted the company to perform a number of security services, including providing "round-the-clock monitoring services" for its systems and bringing the company into compliance with PCI DSS standards.
Specifically, the lawsuit alleged Trustwave had "told Target that there were no vulnerabilities in Target's computer systems" after performing a scan on Sept. 20, 2013, and ultimately accused the security vendor of failing to "meet industry standards" by not spotting the Target breach in a timely manner.
Trustwave last week repeatedly declined to comment on the suit, but over the weekend the company published a short statement from its CEO, Robert McCullen, on its website denying some of the allegations laid out in the legal filing.
"Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations," McCullen said in the statement. "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."
Though unclear what impact Trustwave's statement had on the pending litigation, ChicagoBusiness.com, who first reported on the lawsuit, confirmed court documents indicated the filing has been dropped, though noted it was "dismissed without prejudice," opening the doors for the suit to be refiled in the future.
At the time of publishing, neither Trustmark Bank nor Green Bank responded to Search Security's requests for comment. A Trustwave spokesperson said the company had no further comments at this time.
Michael Scheidell, CCISO, Managing Director for Boca Raton, Fla.-based IT assessment firm Security Privateers, said the lawsuit's allegations had seemed a "little strange." He questioned whether pulling the filing meant the banks' sources behind the information on Trustwave's involvement in the Target breach were reliable.
Though Trustwave's McCullen pointedly denied a number of allegations in his statement, including monitoring Target's systems and processing any cardholder data, McCullen did not deny that Target was a Trustwave client, Scheidell noted, nor that the security vendor had performed at least one PCI assessment for the retailer. If Trustwave did perform an assessment, Scheidell found the possibility of the auditors not finding any vulnerabilities, as indicated in the lawsuit, to be absurd.
"I've been doing this 14 or 15 years, and I've never not found a vulnerability" during an assessment, Scheidell said. "There's always something somewhere -- whether it's small or big, whether it's hard to take advantage of or leads to a data breach, there [are] always vulnerabilities somewhere. So that is a ridiculous statement."
Scheidell said it was unlikely a company the size of Trustwave would purposely ignore problems discovered during an assessment in order to keep a client happy, though he warned auditors and other companies that perform security assessments to be careful when negotiating final reports with clients.
While Scheidell said he has rarely ran into problems with clients that commission assessments, on one occasion a customer did ask his firm to change its assessment results because it couldn't hand over the findings to the executive committee without being asked to fix some issues. In that case, he said the problem was that the customer was running software that could no longer receive updates, a problem many merchants with Windows XP-based systems will face next week when XP's end-of-life date comes to pass.
"There's always the temptation for auditors to make the report look better," Scheidell said, "so they get that business next year."
Enterprises also need to adjust their expectations for what an assessment can accomplish, Scheidell said, especially when a company is found to be compliant with PCI DSS or another regulatory standard. In particular, he noted that PCI auditors come in at scheduled times and that IT and security teams have become adept at giving the auditors what they want. He said being PCI-compliant, as Target reportedly was, does not mean the organization is secure.
"PCI compliance in itself does not mean you're not vulnerable," Scheidell said. "It just means you met the specific requirements for that snapshot; that point in time when auditors came in.
"They're all PCI-compliant, and they're all being breached."