Two customers whose card information was stolen in a Hy-Vee data breach filed a class action suit against the company in federal court in Illinois.
“The Data Breach was the inevitable result of Hy-Vee’s inadequate data security measures and cavalier approach to data security,” according the plaintiff’s filing. “Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer Card Information to be stolen.”
On Aug. 14, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.
Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months.
Card data stolen in the breach has been reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.
The plaintiffs in the lawsuit, Noreen Perdue of Illinois and Dustin Murray of Missouri, both used payment cards at locations Hy-Vee has identified as infected by malware that stole customer information. Perdue used the pay-at-the-pump option while buying gas at a Hy-Vee in Galesburg, Illinois, and Murray was a regular diner at in-store restaurants in Columbia, Missouri. Both were informed by their banks that their card information had been compromised.
The plaintiffs’ attorneys are asking the U.S. District Court for the Central District of Illinois to certify Perdue and Murray’s lawsuit as a class action complaint, which would allow anyone affected by the breach to join the lawsuit. They are also seeking a jury trial in the case.
“Plaintiffs and class members seek to recover damages caused by Hy-Vee’s negligence, negligence per se, breach of contract, and violations of state consumer protection statutes,” the attorneys argue in their filing.
According to the filing, “had Hy-Vee utilized adequate data security and data breach precautions, the window of the Data Breach would have been significantly mitigated, and the level of impact could have been reduced, had the breach been permitted to happen at all in the first place.”
The attorneys also fault the company’s response to the data breach.
Rather than providing meaningful assistance to consumers to help deal with the fraud that has and will continue to result from the Data Breach, Hy-Vee simply tells them to “closely monitor [their] payment card statements for unauthorized activity,” shifting the onus to its customers. In contrast to what has been frequently made available to consumers in recent data breaches, Hy-Vee has not offered or provided any credit monitoring service or fraud insurance to date.
Little Village reached to Hy-Vee for its response to the lawsuit. “We do not comment on pending litigation,” Tina Potthoff, Hy-Vee’s senior vice president for communications, said in an email.
Earlier this month, Hy-Vee put online a searchable database of locations involved in the data breach. Hy-Vees in 41 Iowa cities were listed, including locations in Iowa City, Coralville, Cedar Rapids and Marion.