A Minnesota judge has ordered to unseal a 55-page documentalleging that in the months leading up to Target's massive databreach in late 2013, the retailer repeatedly missed warnings aboutmalware intrusions, kept unencrypted payment card information onits servers and postponed taking action on breach alerts in orderto avoid interrupting Cyber Monday.

The document, filed by attorneys representing five financial institutions that are suing Target over thebreach, is associated with a motion asking the court to give the case class actionstatus.

In it are allegations that the retailer made three decisionsthat allowed the breach, which compromised tens of millions of credit and debit cards, to occur andgreatly increased its severity. First, it claimed, in October 2013,Target disabled and removed key security features by Symantec, ananti-virus provider, and kept them disabled and removed until afterBlack Friday. Second, Target installed a FireEye cybersecurityapplication but didn't implement its malware prevention features,the document alleged. Third, the retailer allegedly didn't fullyintegrate the application into its alert generating system, causinga Dec. 2, 2013, alert about malware associated with the breach togo unheeded, the document alleged.

The document also referenced testimony from a group manager inTarget's security operations center, which stated that in April2012, the retailer discovered unencrypted payment card informationdating back six or seven years on servers in almost 300 stores, butdidn't take action on it for nearly six months.

“Even worse, Target continued to retain unencrypted payment carddata on its system,” it said. “Specifically, unencrypted card datadating back almost ten years was found in plain text on Target'sservers during the investigation of the breach.”

Perhaps most damning, however, is the allegation that Targetimplemented a “system freeze” from October 2013 to January 2014,which made it much more difficult to make changes to Target'scomputer and security systems “during seasons where Targetgenerated the most revenue,” according to the filing. The breachoccurred during that time.

“Once the breach began, Target ignored warnings and alerts onNovember 24, 25, 26, 30 and December 2,” the document said.“Target's own employee recognized, based on an alert, that'someone's using a service account to access all the registers inone store[,]' but Target failed to effectively respond and pushedoff responding to alerts in favor of Cyber Monday.” It only reactedafter it was contacted by the U.S. Secret Service on Dec. 12, 2013,it alleged.

Ultimately, the point of access was a phishing email opened byan employee at Target's refrigeration vendor, which had directaccess to the retailer's system via its construction managementsoftware, the document said. Target hosted that software on its ownsystem rather than a third-party server but never did a riskassessment of the vendor or required it to use a two-factorauthentication system to log in, it claimed.

In a statement to CU Times, a Target spokespersonstrongly denied the allegations in the document.

“Classaction counsels' allegations are not new and are drawn from old,and long disputed, assertions,” the company said. “Targetrejects the arguments and characterizations. None of those allegations are currently before the court for resolution. Theupcoming hearing is instead limited to whether a class should becertified in this case or not. Target has filed its opposition toclass certification. As this is pending litigation, we're not in aposition to comment further.”

According to U.S. Magistrate Judge Jeffrey Keyes, Target askedthe court to keep the document under wraps because it containeddetails that might encourage additional attacks on the retailer andcreate adverse publicity should the media mischaracterize thelitigation. But on Aug. 13, Keyes disagreed and ordered thedocument made public.

The hearing on class certification is scheduled for Sept.10.