The federal lawsuit filed Friday by the First Choice Federal Credit Union in New Castle seeks class action status, claiming there will be far in excess of the 100 victims and $5 million in damages needed to justify a class action under federal law once other financial institutions come forward.
The lawsuit doesn't say how much the credit union has spent to reissue its customer cards and take related precautions, and attorneys for the credit union didn't immediately return calls for comment Monday.
A Target spokeswoman repeated the Minneapolis-based chain's assurances that customers aren't liable for any fraudulent purchases
"They need to continue to watch their accounts and promptly report any fraud to their issuing bank," spokeswoman Molly Snyder said. "I can't speak to the reimbursement process as that is between Target and the banks."
Snyder declined to comment specifically on the lawsuit, which was filed electronically in U.S. District Court in Pittsburgh.
Target has said hackers stole about 40 million debit and credit card numbers and the personal information, including names, email addresses, phone numbers and home addresses of as many as 70 million customers.
Banks, credit unions and other entities that issued debit and credit cards have borne the expense of canceling and reissuing cards, closing transactions or accounts, refunding or crediting cardholders for unauthorized transactions, and notifying customers of the Target data breach in the first place.
But according to the lawsuit, Target should be responsible because the company allegedly stored and maintained data from the magnetic stripe on customers' cards for longer than 48 hours before the data was stolen. The 48-hour limit is imposed by Minnesota law.
The lawsuit also contends Target failed to "adequately protects its' customers' data, and its misconduct regarding the confidential debit and credit cardholders' information constitute deceptive acts and unfair trade practices.”
The lawsuit seeks unspecified monetary damages, attorney's fees, and a finding by the court that Target violated Minnesota law by maintaining customer account information longer than 48 hours, among other damages and remedies.