With all IT data breaches there is a common cycle. First there is the fear over who is at risk, then theories on how the breach occurred, and finally the blaming and lawsuits start to roll in. In the breach of retailer Target, the lawsuits are now coming in, but in a surprising move, one lawsuit isn't just going after Target; it's also going after security vendor Trustwave.
Target first revealed that it had been breached by attackers on Dec. 9, 2013, and ever since, there have been lots of speculation on what went wrong. All U.S retailers are required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), in order to securely process credit card transactions. The question of Target's PCI-DSS compliance status has been an important part of the conversation surrounding the data breach, and now the company that conducted the PCI-DSS compliance testing for Target is being named in a legal action.
In a class action lawsuit filed on March 24 in the U.S. District Court, Northern District of Illinois, Trustmark National Bank and Green Bank have named Trustwave alongside Target in their complaint.
According to the legal complaint, "Target outsourced its data security obligations to Trustwave, which failed to bring Target's systems up to industry standards."
Trustwave declined to comment to eWEEK about the allegation or even admit if Target was in fact a Trustwave client.
The legal complaint alleges that Trustwave scanned the Target network on Sept. 20, 2013, and at the time told Target that there were no vulnerabilities in Target's systems.
"Additionally, on information and belief, Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII (Personally Identifiable Information) or other sensitive data," the complaint states. "In fact, however, the Data Breach continued for nearly three weeks on Trustwave's watch."
The accusation that a key security vendor for Target is somehow also culpable in the data breach is very serious. The issue with many PCI-DSS compliance assessments has long been that the assessments are point-in-time check marks for compliance. It's a lesson that the newer PCI-DSS 3.0 standard that came into effect in January of this year takes to heart, with a stronger emphasis on process and continuous monitoring efforts.
If an organization is certified to be PCI-DSS compliant, it doesn't necessarily mean it is invulnerable to attack either. It means that at a point in time, the organization had the security controls in place that made it compliant. The idea that a PCI-DSS assessor could be liable in the event of a breach is a dangerous one. The assessor doesn't typically run the day-to-day security operations, although in this case, the legal complaint alleges that Trustwave was in fact providing "round-the-clock" monitoring. If a managed service provider (in this case, Trustwave) is on the job and a breach occurs, is it liable in that case?
Every security contract I've ever seen has had its fair share of terms and stipulations. Rarely, if ever, have I seen a managed service contract that can guarantee that an enterprise will 100 percent not be breached. Typically, the contracts include service-level agreements (SLAs) and response time stipulations and not iron-clad statements about making an organization invulnerable.
The reality is that the absolute truth about the Target breach has not fully been disclosed publicly. Whether it was a managed service provider like Trustwave or Target's own staff that sits at the root cause of the breach still remains to be seen.
The Target breach has already claimed the former CIO of Target as a victim. Will it now claim the reputation of Trustwave as well?
No security vendor or technology can make any organization invulnerable. Security is a combination of people, process and technology and should never be the domain of just one individual, vendor or product. Time will tell where the actual faults are to be found in the Target infrastructure and who in fact is liable for those faults.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.