Target Ruled Negligent

A Minnesota judge has ruled that Target was negligent in the 2013 hack on their point of sale system according to infosecurity-magazine.  Now while this is far from the last word on this issue and it will likely be appealed after the trials, it is important.  For a judge to say that Target WAS NEGLIGENT is a huge win for the plaintiffs.

The judge said:

“Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur,” Magnuson wrote in his ruling. “Indeed, Plaintiffs’ allegation that Target purposely disabled one of the security features that would have prevented the harm is itself sufficient to plead a direct negligence case.”

A couple of details in the article –

  • The attack was made possible by Target’s poor network sequestration.  Unfortunately, them and couple of million other businesses.  If businesses would make this one change, it would have a huge positive impact on POS attacks.
  • Multiple alarms from the FireEye early warning system were received and ignored.  For many companies, there is so much chatter from these alarm systems that it can get overwhelming.  In this case, I have seen reports that the alarms were validated and escalated – and still ignored.  This is going to be a problem for Target at trial.

The banks say they lost billions of dollars last year alone.

This is going to be a long, hard battle with a lot of twists and turns, so this is far from the last word. But, the outcome of this case will likely set a precedent for other retailer breaches, especially if it gets appealed up to the Supremes.