The Hy-Vee chain of grocery stores and gas stations across the Midwest is the focus of a proposed class action lawsuit filed over a months-long data breach that allegedly exposed the credit and debit card information of millions of consumers. The suit charges that Hy-Vee’s failure to implement adequate data security measures, as well as what the plaintiffs call its apparent “cavalier approach” to safeguarding customer information, is to blame for the incident.
Filed in Illinois district court, the 39-page complaint begins by taking issue with the “Notice of Payment Card Data Incident” posted on defendant Hy-Vee, Inc.’s website. The lawsuit stresses that the initial notice contained very few details about the data breach itself and provided little insight into what actually happened. According to the case, Hy-Vee first posted the notice on August 14, 2019 yet otherwise kept quiet about the incident for two months, reportedly believing it was best to conclude an internal investigation into the data breach before providing affected customers with details.
On October 3, 2019, nearly two months after announcing the breach, Hy-Vee, the lawsuit says, finally shared additional information with consumers. The company reportedly revealed that the breach, which exposed credit and debit card numbers, cardholder names and card expiration dates, affected different parts of its businesses for different lengths of time. According to the case, the window in which Hy-Vee fuel pump customers’ information was exposed lasted from December 14, 2018 to July 29, 2019, and restaurant and coffee shop customers’ data was exposed from January 15 through July 29, 2019. The suit adds that for some Hy-Vee restaurants, the breach began as early as November 9, 2018, with one location’s systems exposed through August 2, 2019.
As the plaintiffs tell it, Hy-Vee’s less-than-fortified approach to data security in the face of myriad large data breaches in recent years contributed substantially to the exposure of customers’ sensitive payment information. According to the case, Hy-Vee’s fuel pumps, drive-thru coffee shops and restaurants did not utilize card encryption technology at the time of the breach.
“Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer Card Information to be stolen,” the complaint states, adding that despite the incident, Hy-Vee’s grocery store checkout lanes, pharmacies and convenience stores reportedly utilized card encryption technology during the time frame of the breach and are believed to not have been affected.