Hy-Vee says cards may have been accessed between Dec. 14, 2018, to July 29, 2019
Hy-Vee Inc. is facing a lawsuit after a data breach that took place at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants in the past year. Pennsylvania law firm Chimicles Schwartz Kriner & Donaldson-Smith (CSK&D) has filed a class action complaint in the U.S. District Court for the Central District of Illinois against the grocer.
"The data breach was the inevitable result of Hy-Vee’s inadequate data security measures despite the ever-growing threat of security breaches involving payment card systems," CSK&D said when describing the complaint. "Further, the company allegedly failed to take adequate measures to assist affected customers, choosing instead to spread out release of information over the course of a few months and shift the responsibility of dealing with any potential fraud onto its customers."
Hy-Vee notified customers of a data breach on Aug. 14, 2019. Then, in the wake of beefing up its security measures in October, Hy-Vee noted the time periods for when data from cards may have been accessed: Dec. 14, 2018, to July 29, 2019, for the fuel pumps and Jan. 15, 2019, to July 29, 2019, for the restaurants and drive-thru coffee shops. The grocer, however, says there are six locations that could have been accessed as early as Nov. 9, 2018, and lasting until Aug. 2, 2019.
A Hy-Vee spokesperson responded to Progressive Grocer saying, "We do not comment on pending litigation."
Employee-owned Hy-Vee operates more than 260 retail stores across eight Midwestern states.The company is No. 12 on Progressive Grocer’s 2019 Super 50 list of the top grocers in the United States.