A preliminary settlement agreement regarding a data breach that impacted customers of Iowa-based grocery store chain Hy-Vee has been proposed.
Hy-Vee launched an investigation after detecting unauthorized activity on some of its payment processing systems on July 29, 2019.
The investigation found that malware designed to access and steal payment card data from cards used on point-of-sale (POS) devices had been installed at certain Hy-Vee fuel pumps and drive-thru coffee shops.
Restaurants were also impacted, including Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses, and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at the chain's West Des Moines corporate office.
According to a statement released by Hy-Vee in October 2019, the specific timeframes when data from cards used at these locations may have been accessed varies by location. However, the company said that in general, fuel pumps were impacted from December 14, 2018, to July 29, 2019, whereas restaurants and drive-thru coffee shops were affected beginning January 15, 2019, to July 29, 2019.
"There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019," stated the company.
Hy-Vee concerns in Iowa, Illinois, Kansas, Missouri, Montana, Nebraska, South Dakota, and Wisconsin were impacted by the breach. Data stolen in the prolonged attack included customer names, credit and debit card numbers, card expiration dates, and verification codes.
In October and November 2019, lawsuits were filed over the breach by several customers in Illinois, Missouri, and Wisconsin whose data had been compromised. These customers later teamed up to file a class-action complaint against Hy-Vee at the end of November 2019.
On January 12, a settlement agreement was proposed that would allow those affected by the breach to submit reimbursement claims for a maximum of $225. The plaintiffs who are named in the suit are earmarked to receive an additional $2,000 "incentive award."
Under the proposal, customers who faced "extraordinary expenses" because of the data breach, such as hefty, unreimbursed fraudulent charges, may claim up to $5,000.