In the race for justice, the prize often goes to the swift. And in this case, one of the top finishers was Los Angeles attorney Robert Ahdoot, who raced to San Francisco U.S. District Court yesterday and filed a class-action lawsuit -- dated 1:37 p.m. -- against Target for its role in what's being called the second-largest data breach in history, the theft of credit- and debit-card information on up to 40 million customers.
Ahdoot's suit, on behalf of named plaintiff Jennifer Kirk, claims that a blogger, Brian Krebs, first revealed the massive identity theft on Wednesday "before Target made any attempt whatsoever to notify affected customers," Courthouse News Service reported.
Target has not exactly covered itself in glory so far. It told customers it was sorry and then gave them some paternalistic advice about checking their credit report and keeping a close eye on credit card accounts. It didn't offer to pay for any additional protection.
Analysts of all stripes are lambasting the company for its feeble response and predicting dire consequences.
"There's a level of trust that's diminished and there is perhaps a loss of goodwill," said Daren Orzechowski, a partner at law firm White & Case in New York, who focuses on information technology legal matters, including privacy. The breach "could affect people who choose not to go to those [Target] stores versus a competitor," he told Advertising Age.
Target has said the stolen data includes names, credit card numbers, expiration dates and the three-digit security codes on the backs of cards, but it claimed online purchases were not affected.
The leading speculation among cyber security experts is that hackers extracted the purloined data from the card-swipe machines used to process in-store payments, rather than invading Target's corporate information system.
"It appears that the majority of this information was taken from the point-of-sale (POS) machines themselves, which were infected by malware that intercepted the data itself during the magstripe swipe," said Kevin O'Brien, director of product marketing at CloudLock, in an analysis of the breach quoted by DarkReading. "The most likely scenario is the attackers hacked their way to a central relay point, where they could snag credit cards coming through for processing."
O'rien said it "is clear that the security and monitoring systems in place were inadequately designed and managed."
As Kirk's class action suit notes, Target knew about the breach for four days before it bothered to tell customers. Even then, it didn't offer to do anything to help those whose data it had lost, a circumstance it has so far ignored in its public statements.
"We wanted to move swiftly to address the issue. This is a very important holiday week but our focus is on the guests," said Dustee Jenkins, a Target spokeswoman. "We want to reassure people that they can shop at Target."
"The reaction to it has been very ham-handed," said consultant Craig Johnson of Customer Growth Partners in the AdAge account. "You have to get out in front and communicate. No company is perfect but when an issue arises, when there's a theft or fraud thing….you want your customers to hear about it first from you."
Kirk's suit seeks class certification, damages and punitive damages for unfair competition, privacy invasion, negligence, conversion and other charges.