Business

Hy-Vee customers hit chain with class action lawsuit over data breach

The Crosspark Road Hy-Vee store in Coralville on Monday, Oct. 15, 2018. (File photo/The Gazette)
The Crosspark Road Hy-Vee store in Coralville on Monday, Oct. 15, 2018. (File photo/The Gazette)

Hy-Vee customers have named the grocer in a class-action lawsuit after a cyber breach compromised payment card data at numerous locations in eight states.

The legal complaint, filed Tuesday in the U.S. District Court for the Central District of Illinois, criticizes the West Des Moines-based retailer for using encryption technology to protect card data at its grocery stores, but not its breached fuel pump, drive-through coffee shop and restaurant locations.

“Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer card information to be stolen,” wrote attorneys representing two named plaintiffs and national, Illinois and Missouri classes of undetermined sizes.

“As a direct and proximate consequence of Hy-Vee’s conduct and data security shortcomings, a massive amount of customer information was stolen from Hy-Vee and exposed to criminals.”

The attorneys referenced a Krebs on Security report by Brian Krebs, a former Washington Post computer security reporter, who wrote that the carding bazaar Joker’s Stash was listing Hy-Vee data for sale online.

More than 5.3 million credit and debit card accounts in 35 states were affected, Krebs reported, citing two unnamed sources, including one at a major U.S. financial institution.

Among the complaint’s named plaintiffs, an Avon, Ill., woman and a Columbia, Mo., man had to close their debit card accounts and order new cards after learning from their banks that their cards had been compromised, after they respectively bought gas and food at a Hy-Vee fuel pump and restaurant.

ARTICLE CONTINUES BELOW ADVERTISEMENT

Later in the lawsuit, the plaintiffs’ attorneys took Hy-Vee to task for waiting seven weeks, over the course of an internal investigation, before sharing more information about the breach, and for telling customers to “closely monitor” their card statements for unauthorized activity rather than offering card monitoring service or fraud insurance.

Hy-Vee announced Aug. 14 it had detected unauthorized activity at some of its payment processing systems and, on Oct. 3, released a tool for customers to search affected stores — though, the attorneys noted, it does not confirm the numbers of stores targeted or customers and cards affected.

The class action lawsuit seeks “appropriate” monetary and injunctive relief from Hy-Vee on counts of negligence, breach of implied contract and unjust enrichment, plus Illinois and Missouri laws governing fraud, deceptive business and merchandising practices.

Hy-Vee has not filed a response as of Thursday afternoon. Reached by email, a spokeswoman told The Gazette the grocer does not comment on pending litigation.

Comments: (319) 398-8366; thomas.friestad@thegazette.com

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.