Two Iowans have been added as plaintiffs in a class action lawsuit filed by customers who had their credit and debit card information stolen after using their cards at certain Hy-Vee stores. The lawsuit was originally filed in October on behalf of two customers, one in Illinois and one in Missouri, affected by Hy-Vee’s eight-month-long data breach.
The amended complaint was filed in the U.S. District Court for the Central District of Illinois on Monday. Six more people have joined the original two plaintiffs in the lawsuit, which seeks compensation, damages and legal fees from the West Des Moines-based grocery store chain.
According to Monday’s filing, Melanie Savoie had her card information stolen after using “both her credit and debit card on several occasions at the Hy-Vee gas pump locations in Burlington, Iowa and Fort Madison, Iowa” during the data breach.
Cheryl Ellingson had her banking information compromised after she “used her debit card at a Hy-Vee-operated Wahlburgers restaurant located in West Des Moines” earlier this year.
Because Iowans have been added as plaintiffs, the lawsuit now alleges Hy-Vee violated the Iowa Consumer Fraud Act, and engaged in “unfair, deceptive, and unconscionable trade practices” by failing to provide adequate data security for all its customers, or warn them of the potential data security problems the chain had.
On Aug. 14, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.
Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months.
Card data stolen in the breach has been reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.
Two months after it announced the data breech, Hy-Vee revealed the locations affected by it. According to Hy-Vee’s online data base eight locations that were infected by malware in Johnson County, and three in Linn County.
North Dodge Street Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Waterfront Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Eastside/1st Avenue Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 1, 2019
Lantern Park Plaza Hy-Vee: Pay at the Pump, infected from Dec. 17, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 16, 2019
Crosspark Road Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 29, 2019
Wilson Avenue Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
Johnson Avenue Hy-Vee: Market Grille, infected Jan. 15, 2019 to July 29, 2019
Marion Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
Little Village reached out to Hy-Vee for comment when the lawsuit was originally filed.
“We do not comment on pending litigation,” Tina Potthoff, Hy-Vee’s senior vice president for communications, said in an email.
No court date has been set for the lawsuit yet. Hy-Vee has until Jan. 6 to response to the amended lawsuit.