Target Corp., the second-largest U.S. discount chain, was sued by a Christmas shopper claiming she may have been exposed to identity theft from a data breach affecting 40 million debit and credit cards.
The lawsuit, filed yesterday in federal court in San Francisco, follows the Minneapolis-based company’s statement that the information was breached from Nov. 27 to Dec. 15, and that authorities and financial institutions were alerted immediately.
The lawsuit, based on allegations of invasion of privacy and negligence, claims the stolen data may permit the counterfeiting of cards by encoding the information onto any cards with a magnetic strip, and may have also revealed customers’ personal codes for debit cards.
“Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to the complaint.
The statement and ensuing lawsuit come as U.S. retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009. The breach at Target occurred when a computer virus infected its point-of-sale terminals where shoppers swipe a credit or debit card to make a purchase, according to a person familiar with the matter who asked not to be identified because the investigation is private.
Jennifer Kirk, a California resident, seeks to represent other Target customers affected by the security breach in a class-action lawsuit.
“We typically don’t comment on pending litigation and remain highly focused on our guests,” Molly Snyder, a spokeswoman for Target, said in an e-mail.
The company has 1,797 stores in the U.S. and 124 in Canada.
Target is also accused in the complaint of posting its Dec. 19 statement about the data breach as it was reported in the media on its corporate website, and not the shopping site that customers regularly visit. Target claimed to have “identified and resolved the issue,” according to the complaint, which conveyed a “false sense of security to affected customers,” according to the complaint.
The case is Kirk v. Target Corp., 13-cv-05885, U.S. District, Northern District of California (San Francisco).