A federal judge on Tuesday rejected Target Corp's bid to dismiss a lawsuit by banks seeking to recoup money they spent reimbursing fraudulent charges and issuing new credit and debit cards because of the retailer's late 2013 data breach.
U.S. District Judge Paul Magnuson in St. Paul, Minnesota said Target played a "key role" in allowing hackers to infiltrate its computer systems.
He said this justified letting the five bank plaintiffs, which seek class-action status on behalf of lenders nationwide, pursue much of their lawsuit accusing the second-largest U.S. discount retailer of negligence and violating Minnesota consumer protection laws. The banks are seeking millions of dollars in damages.
"Plaintiffs have plausibly alleged that Target's actions and inactions - disabling certain security features and failing to heed the warning signs as the hackers' attack began - caused foreseeable harm to plaintiffs," Magnuson wrote. "Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered."
Target did not immediately respond to a request for comment.
The company has said at least 40 million credit cards were compromised in the breach, and that as many as 110 million people may have had personal information, such as email addresses and phone numbers, stolen.
Target has also said the bank plaintiffs were "sophisticated parties" that lacked the close ties to the retailer necessary to support their legal claims.
The plaintiffs include Umpqua Holdings Corp's Umpqua Bank in Roseburg, Oregon; Mutual Bank in Whitman, Massachusetts; Village Bank in St. Francis, Minnesota; CSE Federal Credit Union in Lake Charles, Louisiana; and First Federal Savings of Lorain in Lorain, Ohio.
They are seeking class-action status on behalf of banks and credit unions with customers who used credit and debit cards at Target between Nov. 1 and Dec. 19, 2013.
Consumers are also pursuing related class-action litigation over the breach, and Target has asked Magnuson to throw out that case.
The case is In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court, District of Minnesota, No. 14-md-02522.