[BreachExchange] Hy-Vee Data Breach Settlement Proposed

Fri Jan 15 10:52:47 EST 2021

https://www.infosecurity-magazine.com/news/hy-vee-data-breach-settlement/

A preliminary settlement agreement regarding a data breach that
impacted customers of Iowa-based grocery store chain Hy-Vee has been
proposed.

Hy-Vee launched an investigation after detecting unauthorized activity
on some of its payment processing systems on July 29, 2019.

The investigation found that malware designed to access and steal
payment card data from cards used on point-of-sale (POS) devices had
been installed at certain Hy-Vee fuel pumps and drive-thru coffee
shops.

Restaurants were also impacted, including Hy-Vee Market Grilles,
Hy-Vee Market Grille Expresses, and the Wahlburgers locations that
Hy-Vee owns and operates, as well as the cafeteria at the chain's West
Des Moines corporate office.

According to a statement released by Hy-Vee in October 2019, the
specific timeframes when data from cards used at these locations may
have been accessed varies by location. However, the company said that
in general, fuel pumps were impacted from December 14, 2018, to July
29, 2019, whereas restaurants and drive-thru coffee shops were
affected beginning January 15, 2019, to July 29, 2019.

"There are six locations where access to card data may have started as
early as November 9, 2018, and one location where access to card data
may have continued through August 2, 2019," stated the company.

Hy-Vee concerns in Iowa, Illinois, Kansas, Missouri, Montana,
Nebraska, South Dakota, and Wisconsin were impacted by the breach.
Data stolen in the prolonged attack included customer names, credit
and debit card numbers, card expiration dates, and verification codes.

In October and November 2019, lawsuits were filed over the breach by
several customers in Illinois, Missouri, and Wisconsin whose data had
been compromised. These customers later teamed up to file a
class-action complaint against Hy-Vee at the end of November 2019.

On January 12, a settlement agreement was proposed that would allow
those affected by the breach to submit reimbursement claims for a
maximum of $225. The plaintiffs who are named in the suit are
earmarked to receive an additional $2,000 "incentive award."

Under the proposal, customers who faced "extraordinary expenses"
because of the data breach, such as hefty, unreimbursed fraudulent
charges, may claim up to $5,000.