Hours after the company acknowledged that 40 million customers’ credit and debit card information was lifted during point-of-sale transactions over the past few weeks, Target Corp. was hit with a class action lawsuit over the breach.
In a statement, Target confirmed that data was stolen from credit and debit cards swiped in its U.S. brick-and-mortar stores between Nov. 27 and Dec. 15—prime holiday shopping season. According to the company’s investigation, customer names, credit or debit card numbers, expiration dates and CVV security codes were compromised. As many as 40 million customers are likely to be affected by the breach.
On Thursday, Jennifer Kirk filed a class action lawsuit accusing Target of breaking California’s unfair competition and data breach reporting laws. She also alleged the company “failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.”
According to the proposed class action lawsuit, news of the Target data breach was first published on Wednesday by blogger Brian Krebs, before Target had made any effort to notify customers who may have been affected by the Target credit card theft. News outlets began reporting that the data was likely gathered through the use of software installed on the machines customers use to swipe their credit and debit cards while paying.
The data that was allegedly exposed is known as “track data,” which allows criminals to create counterfeit cards by encoding the credit or debit card information onto any card with a magnetic strip. The Target data breach lawsuit also mentions that the thieves may have captured PIN numbers from customers who paid with debit cards, which could allow them to withdraw money directly from those customers’ bank accounts.
On Thursday, Target posted a notice on its corporate website, confirming that customers’ credit and debit card information had been compromised. The company reportedly took no steps to notify the customers who were affected by the Target credit card theft. “In its December 19 statement concerning the data breach, Target also claimed to ‘have identified and resolved the issue,’ conveying a false sense of security to affected customers,” Kirk says in her class action lawsuit.
Because of the Target data breach, customers are now at risk of identity theft. The Federal Trade Commission (FTC) estimates that as many a 9 million Americans are victims of identity theft each year. “Identity thieves can use identifying data to open new financial accounts and incur charges in another person’s name, take out loans in another person’s name, incur charges on existing accounts, or clone ATM, debit or credit cards,” the class action lawsuit says.
Not only are identity theft victims subjected to financial harm, but their identities can also become implicated in fraud. Identity thieves can use stolen data to commit immigration fraud, obtain government identification in the victim’s name, obtain government benefits in the victim’s name, file fraudulent tax returns, and a variety of other fraudulent activities. When personal data is compromised, the victims must constantly monitor their financial and personal records.
Kirk is represented by Tina Wolfson, Robert Ahdoot and Theodore Maya of Ahdoot & Wolfson PC.
The Target Customer Data Breach Class Action Lawsuit is Jennifer Kirk v. Target Corp., et al., Case No. 13-cv-05885, in the U.S. District Court for the Northern District of California.