Judge paves way for banks to sue Target over data breach

Judge paves way for banks to sue Target over data breach

A US judge has given a group of banks the go-ahead for a class action lawsuit against Target over the massive 2013 data breach at the US retail chain.

US district judge Paul Magnuson certified the class action, paving the way for the banks to jointly pursue their claims over the cyber break-in, which saw thieves steal the card details of tens of millions of customers.

The banks bringing the class action - Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings of Lorain - say that the breach forced them to reissue around 25,000 cards, at a cost of $30 million.

A spokeswoman for Target, Molly Snyder, told Reuters that the company was "disappointed" and will now evaluate what to do next. A settlement could now be on the cards.

Some banks have already settled. Target and Visa reached an agreement of up to $67 million to reimburse member banks several weeks ago. However, an earlier $19 million deal with MasterCard fell through because not enough banks signed off on it.

Comments: (3)

A Finextra member
A Finextra member 16 September, 2015, 19:022 likes 2 likes

"... breach forced them to reissue around 25,000 cards, at a cost of $30 million". 

I make that $1,200 dollars per card! How does that work out? 

Bill Trueman
Bill Trueman - Riskskill.com - London 17 September, 2015, 10:441 like 1 like

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

Accordingly, this figure MUST be calculated to include some of the 'consequential loss' - i.e. that the compromised cards were then used. Accordingly the banks will have to show a loss on their cards (as well as the costs to them of re-issue).

If I were in Target (and/or the Lawyers in the the defence team) then I would have plenty of defence arguments to tender:

a) What did the banks do to mitigate the losses.

b) What did their systems look for in the unusual transactional activity.

c) As the cards were compromised with limited security details, why did the banks not check the security details and prevent the transactions (as is done in most other places in the world).

d) As a preventative solution, why had the banks not implemented greater security with EMV (and/ or EMV with CHIP and PIN) as this would have significantly (or completely) removed the possibility that these cards could have been of use. The US issuers involved are far behind the global 'curve' on upgrading to the latest technology that was introduced across the rest of the world 15 - 10 years ago.

Someone introduce me to the consortium of banks or their lawyers to help build their case against Target - or better still to the Target people (and/or their indemnity insurers), as they probably have the much better and more fun case to present to the courts. 

In all cases and scenarios, this will be a superb case to watch; and reveals how poor the infrastructure in the USA is, and how far behind both the infrastructure and the thinking actually is - on all sides.


A Finextra member
A Finextra member 17 September, 2015, 21:07Be the first to give this comment the thumbs up 0 likes No losses, no claims, agree completely. Reissue costs $5 a card....so $125,000 at best. Lawyers fees here and the court understanding is the bulk of the fee. t $1,995 per card....which makes sense and then totals $30million. gotta pay the lawyers....