The massive payment-card breach at Target in December triggered nearly 60 class-action lawsuits, which have now been combined into a single amended complaint that was filed on Monday (Aug. 25), Law360 reported.
The revised lawsuit, which includes more than 100 named plaintiffs representing most U.S. states, is asking to represent both a nationwide class and state-specific classes of Target customers. As many as 110 million Target customers may have been victims of the Target breach, one of the largest data breaches in U.S. history.
Lawyers combed through the nearly 60 lawsuits to locate the strongest claims and best plaintiffs to proceed with the litigation, and constructed the amended lawsuit “from the ground up,” said Vincent Esades, a plaintiffs’ attorney.
The lawsuit also includes a more complete and detailed factual history of the Target breach. According to the lawsuit’s timeline, eastern European cyberthieves began probing computer networks of major U.S. retailers in June 2013, and were able to get into Target’s computer system through one of the chain’s refrigeration vendors, because Target’s networks were not properly segmented to separate financial systems from plant operations.
With access to the network, the thieves uploaded malware targeting payment systems by Nov. 20. The malware was detected by automated security systems on Nov. 30 and Dec. 2, but Target didn’t take action until it was notified of the breach by the U.S. Department of Justice on Dec. 12. after the thieves began harvesting card numbers, according to the lawsuit.