The Montgomery-based credit union alleged in its complaint that Target was not compliant with card industry data security standards at the time of the incursion that led to the theft of credit and debit card data.
“Among other things, merchants are prohibited from storing unprotected cardholder information,” the credit union observed in its class-action complaint filed on Jan. 2 in the U.S. District Court for the Middle District of Alabama.
“The stolen data includes, among other things, customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards. There is no legitimate reason for Target to keep all of this information stored electronically,” the credit union concluded.
Target acknowledged on Dec. 19 that all of its stores had been hit in the breach that began on or around Black Friday and that data from roughly 40 million credit and debit card accounts had been compromised.
There have been no estimates yet of industry-wide losses from the breach and Alabama State Employees also refrained from using many hard numbers.
“Plaintiff has lost significantly in refunding the unauthorized use and access of its customers’ and members’ accounts due to Target data breach,” the credit union argued in its brief. “The cost in refunding loss deposits, time and resources spent to remedy the situation of (the credit union's) customers and members are untold.”
Calls to the credit union's law firm were not returned by press time. Target noted that it did not comment on pending litigation and the firm has not yet filed a response to the credit union's complaint.
Meanwhile, many credit unions have continued to push forward in their efforts to quantify their losses from the breach. At least 200 have participated in a survey CUNA is conducting about credit union losses from the Target breach.
“We expect those numbers to increase,” Pat Keefe, vice president of communications at CUNA, said on Jan. 6.
“We have a number of questions related to how and when they were informed of the breach, how many of their members cards have been affected, and some questions on some of the actions they have taken or plan to take with respect to the cards,” added Bill Hampel, CUNA senior vice president of research and policy analysis and chief economist, during the trade group's weekly conference call.
“We also ask them for some information on the cost that they have incurred in terms of either reissuing cards or having to increase staff for increased call volume,” Hampel said.
Keefe detailed CUNA's plans to distribute the results.“We expect to make results of our survey available to those who can assist in limiting the costs to credit unions of these breaches in the future – including lawmakers, regulators, the media and our members,” he said. “The data we share will be the aggregated results. We will not share the data of individual credit unions.”
In the latest edition of The Cheney Report, CUNA President/CEO Bill Cheney said, “We want to know – because the scope of this breach is so big (the second largest, in terms of total persons affected), the costs to credit unions (and ultimately to their members) are so immense for replacing cards and reimbursing members who have lost funds due to fraudulent transactions, and because Congress is taking notice of this whole affair –particularly the costs of it all.”