A U.S. judge on Thursday cleared the way for consumers to sue Target Corp. over the massive security breach in 2013 at the Minneapolis-based retailer that they say compromised their personal financial information.
This story first appeared in the December 22, 2014 issue of WWD. Subscribe Today.
U.S. District Court Judge Paul Magnuson dismissed claims by plaintiffs in several states but basically denied Target’s request to toss out the proposed class-action lawsuit.
Magnuson rejected Target’s argument that the consumers lacked standing to sue because they couldn’t establish any injury, saying, “Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct.”
The ruling followed a similar decision by Magnuson earlier this month that allowed a group of banks to move forward with a lawsuit to recoup money they spent reimbursing fraudulent charges and issuing new credit and debit cards as a result of the breach. The banks accused Target of cutting corners with regard to security.
Target has said that at least 40 million credit cards were compromised in the breach, which was one of the largest cyber attacks on a U.S. retailer. The records of as many as 110 million consumers may have been affected.
Target is accused of not properly protecting sensitive data in its network. The complaint also alleges that Target kept sensitive, protected card data on its servers for longer than the period allowed by the Minnesota Plastic Card Security Act.
According to the complaint, hackers obtained access to Target’s system through a third-party vendor, Fazio Mechanical Services, an HVAC company that wasn’t required to maintain adequate computer security. Target was notified on Nov. 30, 2013, that there was malware on its system, but the retailer took no action, the complaint alleged. Target received another alert on Dec. 2, 2013, and again did nothing, the complaint said. The U.S. Department of Justice notified Target about the breach on Dec. 12, 2013. News of the data breach was made public by Target on Dec. 19, 2013.
Thursday’s ruling applied to shoppers who used debit or credit cards at U.S. Target stores during the period of the breach and had their information compromised, resulting in unauthorized charges, lost account access, fees and costs of credit monitoring.
A spokesman for Target said the company does not comment on pending litigation.