A western Pennsylvania credit union is suing Target Corp. for the cost of reissuing debit cards to about 75 customers whose account information was compromised by computer hackers who stole 40 million credit and debit card numbers from the retailer's customers.
The federal lawsuit filed Friday by the First Choice Federal Credit Union in New Castle seeks class action status, claiming there will be far in excess of the 100 victims and $5 million in damages needed to justify a class action under federal law once other financial institutions come forward. The Pennsylvania credit union is located about 45 miles northwest of Pittsburgh.
The lawsuit doesn't say how much the credit union has spent to reissue its customer cards and take related precautions, and the law firms that filed the suit didn't specify in a statement released Monday.
"The complaint alleges that Target knew or should have known that its payment processes were vulnerable to this sort of attack, yet the company failed to take adequate measures to protect sensitive data and did not inform customers or financial institutions about the ongoing attack for several weeks after it was discovered," according to the statement from the three firms, Carson Lynch, Del Sole Cavanaugh Stroyd, and Berger & Montague.
A Target spokeswoman repeated the Minneapolis-based chain's assurances that customers aren't liable for any fraudulent purchases
"They need to continue to watch their accounts and promptly report any fraud to their issuing bank," spokeswoman Molly Snyder said. "I can't speak to the reimbursement process as that is between Target and the banks."
Snyder declined to comment specifically on the lawsuit, which was filed electronically in U.S. District Court in Pittsburgh.
Target has said hackers stole about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers.
Banks, credit unions and other entities that issued debit and credit cards have borne the expense of canceling and reissuing cards, closing transactions or accounts, refunding or crediting cardholders for unauthorized transactions, and notifying customers of the Target data breach in the first place.
But according to the lawsuit, Target should be responsible because the company allegedly stored and maintained data from the magnetic stripe on customers' cards for longer than 48 hours before the data was stolen. The 48-hour limit is imposed by Minnesota law.
The lawsuit also contends Target failed to "adequately protects its' customers' data, and its misconduct regarding the confidential debit and credit cardholders' information constitute deceptive acts and unfair trade practices."
The lawsuit seeks unspecified monetary damages, attorney's fees, and a finding by the court that Target violated Minnesota law by maintaining customer account information longer than 48 hours, among other damages and remedies.