Advertisement

Class action lawsuit filed against Hy-Vee over its months-long data breach


Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Two customers whose card information was stolen in a Hy-Vee data breach filed a class action suit against the company in federal court in Illinois.

“The Data Breach was the inevitable result of Hy-Vee’s inadequate data security measures and cavalier approach to data security,” according the plaintiff’s filing. “Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer Card Information to be stolen.”

On Aug. 14, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months.

Card data stolen in the breach has been reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

The plaintiffs in the lawsuit, Noreen Perdue of Illinois and Dustin Murray of Missouri, both used payment cards at locations Hy-Vee has identified as infected by malware that stole customer information. Perdue used the pay-at-the-pump option while buying gas at a Hy-Vee in Galesburg, Illinois, and Murray was a regular diner at in-store restaurants in Columbia, Missouri. Both were informed by their banks that their card information had been compromised.

The plaintiffs’ attorneys are asking the U.S. District Court for the Central District of Illinois to certify Perdue and Murray’s lawsuit as a class action complaint, which would allow anyone affected by the breach to join the lawsuit. They are also seeking a jury trial in the case.

“Plaintiffs and class members seek to recover damages caused by Hy-Vee’s negligence, negligence per se, breach of contract, and violations of state consumer protection statutes,” the attorneys argue in their filing.

According to the filing, “had Hy-Vee utilized adequate data security and data breach precautions, the window of the Data Breach would have been significantly mitigated, and the level of impact could have been reduced, had the breach been permitted to happen at all in the first place.”

The attorneys also fault the company’s response to the data breach.

Rather than providing meaningful assistance to consumers to help deal with the fraud that has and will continue to result from the Data Breach, Hy-Vee simply tells them to “closely monitor [their] payment card statements for unauthorized activity,” shifting the onus to its customers. In contrast to what has been frequently made available to consumers in recent data breaches, Hy-Vee has not offered or provided any credit monitoring service or fraud insurance to date.

Little Village reached to Hy-Vee for its response to the lawsuit. “We do not comment on pending litigation,” Tina Potthoff, Hy-Vee’s senior vice president for communications, said in an email.

Earlier this month, Hy-Vee put online a searchable database of locations involved in the data breach. Hy-Vees in 41 Iowa cities were listed, including locations in Iowa City, Coralville, Cedar Rapids and Marion.


[gravityform id="17" title="false" description="false" ajax="true"]
<div class='gf_browser_unknown gform_wrapper your-village-form_wrapper' id='gform_wrapper_17' ><a id='gf_17' class='gform_anchor' ></a><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_17' id='gform_17' class='your-village-form' action='/class-action-filed-against-hy-vee-over-its-months-long-data-breach/#gf_17'> <div class='gform_body'><ul id='gform_fields_17' class='gform_fields top_label form_sublabel_below description_below'><li id='field_17_7' class='gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible' ><h3 style="font-weight:800; font-size:34px;">Let's get started</h3> <p style="font-size:18px;">Fill out this form and we'll contact you with information about marketing with Little Village!</p></li><li id='field_17_4' class='gfield field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label gfield_label_before_complex' for='input_17_4_3' ></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name gfield_trigger_change' id='input_17_4'> <span id='input_17_4_3_container' class='name_first' > <input type='text' name='input_4.3' id='input_17_4_3' value='' aria-label='First name' tabindex='2' aria-invalid="false" placeholder='First name'/> <label for='input_17_4_3' >First</label> </span> <span id='input_17_4_6_container' class='name_last' > <input type='text' name='input_4.6' id='input_17_4_6' value='' aria-label='Last name' tabindex='4' aria-invalid="false" placeholder='Last name'/> <label for='input_17_4_6' >Last</label> </span> </div></li><li id='field_17_5' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_5' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_5' id='input_17_5' type='text' value='' class='large' tabindex='6' placeholder='Company name' aria-required="true" aria-invalid="false" /></div></li><li id='field_17_3' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_3' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_email'> <input name='input_3' id='input_17_3' type='text' value='' class='large' tabindex='7' placeholder='Your email address' aria-required="true" aria-invalid="false"/> </div></li><li id='field_17_8' class='gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_' ><label class='gfield_label' for='input_17_8' >Comments</label><div class='ginput_container'><input name='input_8' id='input_17_8' type='text' value='' /></div><div class='gfield_description'>This field is for validation purposes and should be left unchanged.</div></li> </ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_17' class='gform_button button' value='SUBMIT' tabindex='8' onclick='if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; jQuery("#gform_17").trigger("submit",[true]); }' /> <input type='hidden' name='gform_ajax' value='form_id=17&amp;title=&amp;description=&amp;tabindex=1' /> <input type='hidden' class='gform_hidden' name='is_submit_17' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='17' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_17' value='WyJbXSIsIjlmNzc1YTEyZmZjNmYyODk5Mzk0NDM3ZjRlOGYyZDNmIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_17' id='gform_target_page_number_17' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_17' id='gform_source_page_number_17' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="47"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_17' id='gform_ajax_frame_17'>This iframe contains the logic required to handle Ajax powered Gravity Forms.</iframe> <script type='text/javascript'>jQuery(document).ready(function($){gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery('#gform_ajax_frame_17').load( function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_17');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_17').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;if(is_form){jQuery('#gform_wrapper_17').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_17').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_17').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_17').offset().top); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_17').val();gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery(document).trigger('gform_page_loaded', [17, current_page]);window['gf_submitting_17'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_17').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_17').offset().top);jQuery(document).trigger('gform_confirmation_loaded', [17]);window['gf_submitting_17'] = false;}, 50);}else{jQuery('#gform_17').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [17, current_page]);} );} );</script><script type='text/javascript'> if(typeof gf_global == 'undefined') var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2},"base_url":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope","number_formats":[],"spinnerUrl":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope\/images\/spinner.gif"};jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 17) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} );</script><script type='text/javascript'> jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [17, 1]) } ); </script>