An Amherst woman has filed a federal class action lawsuit against Target, seeking $5 million for a data breach that affected approximately 40 million credit and debit cards.
Michelle Mannion was one of the Target shoppers whose information was stolen between Nov. 27 and Dec. 15, according to the lawsuit filed Tuesday in the Northern District of Ohio’s U.S. District Court.
The lawsuit comes after Target notified the public that it was the victim of hackers who stole encrypted personal identification numbers, customer names and credit card information.
Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
Mannion used her credit card at a Target at 8000 Oak Park Road in Amherst on Dec. 4 and 5. According to the lawsuit, Mannion’s identifying and financial information was disclosed in the data breach, and her entire bank account at Lorain National Bank was depleted, along with a subsequent overdraft.
The lawsuit contends that Target did little to notify customers of the breach and joins about 40 other suits that have been filed nationwide.
News of the data breach was published by blogger Brian Krebs on or about Dec. 18, before Target attempted to notify customers, according to the lawsuit. Target reportedly posted a statement on its corporate website Dec. 19 regarding the breach.
The lawsuit also contends that Target failed to implement and maintain “reasonable security procedures and practices,” and the thieves could not have accessed the information without negligence from the company.
The lawsuit contends that, in addition to financial loss, the victims of the scam could have their information connected to various types of government fraud.
Mannion’s attorney, Steven Goldberg, declined to comment on the lawsuit when contacted Friday. A spokeswoman for Target said the company does not comment on pending litigation.
Target is investigating the data breach and is in the early stages of a criminal and forensic investigation, according to the company’s website. The company, which is working with the Secret Service and the Department of Justice, has maintained that the stolen PINs were encrypted when they were removed from the system, so debit cards were not breached by using the PIN.
Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.
The Associated Press contributed to this story.