Published December 20, 2013
Four state attorneys general now say they are demanding answers from Target, as the threat of class action lawsuits from customers mounts.
Massachusetts attorney general Martha Coakley, who headed the multi-state probe into the 2007 data breach of 90 million cards at TJ Maxx, is now working with other state attorneys general to determine whether Target (TGT) had proper safeguards. New York attorney general Eric Schneiderman is demanding answers. The attorneys general for South Dakota and Connecticut want answers, too.
According to Target, credit and debit card information for approximately 40 million customers who shopped in their stores may have been hacked between Nov. 27 and Dec. 15. Target has indicated that the information involved included customer names, credit or debit card numbers, and the card’s expiration date and CVV (the three-digit security code). But Target says it has determined that the hack involved credit card and debit card information for purchases at its retail stores only; online purchases were not affected.
Card holders are being asked to review their account statements, and debit card holders are being urged to change their cards or PIN numbers.
In a statement, Target says that it “is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”
Gregg Steinhafel, chairman, president and chief executive officer of Target, said in the statement: “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” adding, “we take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
A customer in California filed a class-action lawsuit against Target late Thursday, the first of what lawyers say could be many. The suit asks the court to ascertain whether "Target unreasonably delayed in notifying affected customers of the data breach,” meaning Target could be liable and may have to foot the bill reaching into the hundreds of millions of dollars.
Target also faces potential fines due to alleged poor security from MasterCard, Visa and American Express, which means a possible increase in merchant fees. So far, J.C. Penney, Wal-Mart, Best Buy and Home Depot say they believe their systems had not been compromised. But retailers typically only know after the fact.
The state attorneys general could wring fines out of Target, similar to how T.J. Maxx had to pay $9.75 million in fines over its card security breach. Massachusetts says it got “more than $950,000 to aid efforts to protect consumers' personally-identifiable information.”
The Massachusetts attorney general also says her office has “contacted Target to review the circumstances of the breach and the steps the company is taking to address it,” and that it “will work with attorneys general across the country to determine whether Target had proper safeguards in place to protect consumer information.”
The office of the New York attorney general says it has requested “that Target offer each of the affected New York consumers, at a minimum, one year free credit monitoring service.”
The Connecticut attorney general, George Jepsen, is demanding Target give his office answers to a list of 10 demands, including: access to third party investigation reports; steps Target has taken to protect customer information on its data networks; steps it has taken to contact and protect his state residents affected by the breach, and his office is asking for two years worth of free credit monitoring and identity theft protection for state residents.