In August, 2019, Hy-Vee announced that it was investigating a payment card breach affecting customers who had used some of their fuel pumps, drive-thru coffee shops, and restaurants.
Three days later, Brian Krebs reported:
On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.
This week, Paul Brennan reports:
Hy-Vee has reached a preliminary settlement agreement in the class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores in 2018 and 2019.
According to papers filed in an Illinois federal court on Tuesday, the company began negotiating the proposed settlement deal with the plaintiffs’ attorneys after a judge refused to dismiss the lawsuit in April 2020. The next step in the lawsuit would have been the discovery phase, during which company officials would have been compelled to testify about the data breach under oath and produce documents related to it.
Brennan provides a recap of the history of the breach and litigation and what the settlement provides for consumers. You can read his report on Little Village.