Hy-Vee Gas, 1103 N. Dodge Street, Iowa City. – Emma McClatchey / Little Village
Hy-Vee has reached a preliminary settlement agreement in a class action lawsuit filed by customers whose credit and debit card information was stolen during a massive data breach at some of the company’s branches in 2018 and 2019.
According to records filed in a federal court in Illinois on Tuesday, the company began working with plaintiffs’ attorneys over the proposed settlement after a judge refused to dismiss the lawsuit in April 2020. The next step in the lawsuit would have been the discovery phase. During this time, the company’s employees would have been forced to testify under oath about the data protection breach and to submit relevant documents.
On August 14, 2019, Hy-Vee issued a press release announcing that it had discovered a data breach involving customers using debit and credit cards at fuel pumps, drive-through cafes and restaurants (Market Grilles, Market Grille Expresses and) Wahlburger’s locations). There are no purchases in “our grocery stores, drugstores and in our convenience stores” at risk, the company explained, as these sales are processed using a different, more secure system.
Locations in all eight states of the Midwest, where the chain has more than 240 stores, were affected by the violation, which lasted between seven and eight months in some locations as of December 2018. Information from more than 5.3 million debit and credit cards was stolen during the data breach.
The stolen debit and credit card information will later be offered for sale at Joker’s Stash, a website that deals in stolen card information.
In October, two Hy-Vee customers whose data had been stolen – one in Illinois, the other in Missouri – filed a class action lawsuit against Hy-Vee over the privacy breach. The following month, two Iowans were named plaintiffs in the lawsuit.
Hy-Vee locations in 41 cities in Iowa were infected with the malware that steals data, including locations in Iowa City, Coralville, Cedar Rapids and Marion, according to a database published by the company of websites involved in the data breach.
If the court approves the settlement, US residents who used a payment card to make purchases at an affected Hy-Vee POS device during the security incident will be entitled to a refund of up to $ 225 for ” the following categories of potential expenses incurred as a result of the data breach. “
• Reimbursement of up to three (3) hours of documented lost time (at US $ 20 per hour) spent on handling replacement card issues or canceling fraudulent charges (only if at least a full hour was spent and with reasonable accuracy can be documented);
• an additional payment of US $ 20 for any credit or debit card that incurred documented fraudulent charges that were subsequently reimbursed;
• non-refundable bank charges, card reissue charges, overdraft charges, late charges, unavailability of funds charges and overdraft charges;
• Long distance calls, postage, cell phone minutes (if billed by the minute), text messaging (if billed by message), and Internet usage charges (if billed by the minute or by amount of data used);
• non-refundable fees from banks or credit card companies;
• Interest on payday loans due to card cancellation or due to an overrun situation;
• Cost of the credit report (s); and
• Credit monitoring and identity theft protection costs
Some individuals who “have incurred extraordinary costs are eligible for reimbursement of up to $ 5,000 per incident.” The 11 individuals named in the lawsuit will also receive “incentive rewards” of each $ 2,000.
The plaintiffs’ attorneys are demanding fees of $ 727,000, “a figure the parties agreed with the assistance of the mediator on a mediator’s suggestion,” according to the legal memorandum filed Tuesday on the settlement. Hy-Vee is expected to pay $ 12,000 to cover legal fees.
In addition to agreeing to these payments, Hy-Vee agrees to take “certain measures to increase data security and protect consumer information for a period of two years” as part of the settlement.
These measures include: Appointment of a Group Vice President, IT Security; Maintaining a written information security program; Employee training on data security guidelines and how to identify / handle suspicious emails; Maintain a policy to respond to information security incidents; observance [current payment card industry data security] Standards; and third party vendors must use multi-factor authentication to access the Hy-Vee payment card environment.
If the proposed settlement is approved by the federal judge overseeing the case, anyone affected by the data breach will have 120 days from the public announcement of that approval to file a claim through a website created by plaintiffs’ lawyers.