Class action lawsuit filed against Hy-Vee over its months-long data breach

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Two customers whose card information was stolen in a Hy-Vee data breach filed a class action suit against the company in federal court in Illinois.

“The Data Breach was the inevitable result of Hy-Vee’s inadequate data security measures and cavalier approach to data security,” according the plaintiff’s filing. “Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer Card Information to be stolen.”

On Aug. 14, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months.

Card data stolen in the breach has been reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

The plaintiffs in the lawsuit, Noreen Perdue of Illinois and Dustin Murray of Missouri, both used payment cards at locations Hy-Vee has identified as infected by malware that stole customer information. Perdue used the pay-at-the-pump option while buying gas at a Hy-Vee in Galesburg, Illinois, and Murray was a regular diner at in-store restaurants in Columbia, Missouri. Both were informed by their banks that their card information had been compromised.

The plaintiffs’ attorneys are asking the U.S. District Court for the Central District of Illinois to certify Perdue and Murray’s lawsuit as a class action complaint, which would allow anyone affected by the breach to join the lawsuit. They are also seeking a jury trial in the case.

“Plaintiffs and class members seek to recover damages caused by Hy-Vee’s negligence, negligence per se, breach of contract, and violations of state consumer protection statutes,” the attorneys argue in their filing.

According to the filing, “had Hy-Vee utilized adequate data security and data breach precautions, the window of the Data Breach would have been significantly mitigated, and the level of impact could have been reduced, had the breach been permitted to happen at all in the first place.”

The attorneys also fault the company’s response to the data breach.

Rather than providing meaningful assistance to consumers to help deal with the fraud that has and will continue to result from the Data Breach, Hy-Vee simply tells them to “closely monitor [their] payment card statements for unauthorized activity,” shifting the onus to its customers. In contrast to what has been frequently made available to consumers in recent data breaches, Hy-Vee has not offered or provided any credit monitoring service or fraud insurance to date.

Little Village reached to Hy-Vee for its response to the lawsuit. “We do not comment on pending litigation,” Tina Potthoff, Hy-Vee’s senior vice president for communications, said in an email.

Earlier this month, Hy-Vee put online a searchable database of locations involved in the data breach. Hy-Vees in 41 Iowa cities were listed, including locations in Iowa City, Coralville, Cedar Rapids and Marion.

Thoughts? Tips? A cute picture of a dog? Share them with LV »



Summer Programs 2020

Get 150+ local restaurants delivered to your door in the Iowa City & Cedar Rapids areas!

Don’t let other people’s opinions win.

Vote for your favorite people, places and events in the Iowa City-Cedar Rapids area! In a time when local businesses need our support more than ever, your vote will send a little love to the places that make our community special. And don’t forget to tell us why—the best comments will be published in our December Best of the CRANDIC 2021 issue! Voting ends September 30.

Read the Best of the CRANDIC issue, on stands now

The Future is Unwritten

You look to Little Village for today’s stories. Your sustaining support will help us write tomorrow’s.


$10/mo or $120/year
The cost of doing this work really adds up! Your contribution at this level will cover telephone and internet expenses for one month at the LV editorial offices.


$20/mo or $240/year
$240 is enough to cover one month’s costs for sending out our weekly entertainment newsletter, The Weekender. Make a contribution at this level to put a little more oomph on your support and your weekend.


$30/mo or $360/year
(AUTO-RENEW) connects eastern Iowa culture with the world. Your contribution at this level will cover the site’s hosting costs for three months. A bold move for our boldest supporters!

All monthly and annual contributors receive:

  • Recognition on our Supporters page (aliases welcome)
  • Exclusive early access when we release new half-price gift cards
  • Access to a secret Facebook group where you can connect with other supporters and discuss the latest news and upcoming events (and maybe swap pet pics?) with the LV staff
  • Invitations to periodic publisher chats (held virtually for now) to meet with Matt and give him a piece of your mind, ask your burning questions and hear more about the future plans for Little Village, Bread & Butter Magazine, Witching Hour Festival and our other endeavors.