Target Corp. must defend itself against claims that its failure to shield computer systems allowed hackers to steal the account data of millions of shoppers, forcing banks to reimburse fraudulent charges and issue new credit and debit cards.
At least 40 million credit cards were compromised and personal information including e-mail addresses and phone numbers of as many as 110 million people may have been stolen in the incursion last year, the Minneapolis-based retail chain has said.
Five banks banded together to sue on behalf of every U.S. financial institution whose customers made Target purchases from Nov. 1 to Dec. 19, 2013, claiming they collectively sustained tens of millions of dollars in damages. The company last month asked U.S. Judge Paul Magnuson in St. Paul, Minnesota, to reject those claims.
Magnuson refused, saying Dec. 2 that the lenders plausibly raised a claim for negligence and that "imposing a duty on Target in this case will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information."
Molly Snyder, a spokeswoman for the retailer, said Target doesn't comment on pending litigation.
"Although third-party hackers' activity caused harm, Target played a key role in allowing the harm to occur" by disabling some security features and failing to heed warning signs when the cyber-attack began, the judge said in his written ruling.
Target faces a companion class action by consumers whose data was pirated. Among other things, they are seeking a court order compelling the company to adopt best practices for data security and to make restitution to those harmed by the attack.
The company has asked Magnuson to throw out those claims. He has scheduled a hearing on that request for Dec. 11.
The case is In Re: Target Corporation Customer Data Security Breach Litigation, 14-MD-2522, U.S. District Court, District of Minnesota (St. Paul).