Supervalu Hit With Lawsuit After BreachAlleges Company Failed to Follow Security Best Practices
A class action lawsuit has been filed against the Supervalu supermarket chain following recent revelations of a breach that potentially compromised customer payment card data from point-of-sale systems (see: Supermarket Chain Reveals New Breach).
In the suit, which was filed in the U.S. District Court for the Southern District of Illinois, the plaintiffs claim Supervalu failed to abide by best practices and industry standards concerning the security of its payment processing systems. Additionally, Supervalu is being accused of failing to notify plaintiffs in a timely manner. The lawsuit states that Supervalu has publicly stated that "approximately 40 million credit and debit card accounts may have been impacted."
"Plaintiffs and class members are subject to continuing damage from having their personal information compromised as a result of defendant's inadequate systems and failures," the lawsuit says. Those damages, the suit contends, include, among other things, out-of-pocket expenses to mitigate identity theft and fraud risks.
The lawsuit lists four plaintiffs who shopped at grocery stores and used their payment cards during the time of the breach. It says any fraud losses have not yet been determined.
The legal action alleges negligence; breach of implied contract; violation of the Stored Communications Act; violation of the Missouri Merchandising Practices Act; and violation of the Illinois Personal Information Protection Act. The suit seeks unspecified compensatory and punitive damages and other costs.
Supervalu did not immediately respond to a request for comment.
A data breach attorney who recently commented on a similar lawsuit against P.F. Chang's contends such consumer cases "are dead in the water." Tying consumer fraud losses to a specific breach, especially in today's age of numerous retail breaches, is next to impossible, the attorney, who asked not to be named, says.
"To have a case, you have to have two things: Liability and damages," the attorney adds. "That's hard to prove on the consumer side."
The supermarket chain said Aug. 15 that it was investigating a network intrusion that may have resulted in criminals compromising customer data from its point-of-sale systems. Supervalu says unauthorized access to its systems began not before June 22 and lasted until July 17 at the latest, and may have resulted in the theft of data from 180 Supervalu grocery stores - including franchised stores - as well as standalone liquor stores across seven states.
Supervalu, which is based in Eden Prairie, Minn., had $34.3 billion in 2013 revenue and is the third-largest food retailer in the U.S., acting as a wholesale supplier to a number of food stores, as well as operating stores under such brand names as Cub, Farm Fresh, Shoppers, Shop 'n Save and Hornbacher's.
The data breach may also have affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states (see: AB Acquisition: Breach Impacts 836 Stores).
SuperValu says the breach potentially compromised payment card numbers, cardholders' names, card expiration dates and "other numerical information," which the company hasn't defined. But that information could refer to track data, including the cards' CVV security codes. The stolen information - especially if it included CVV codes - could be used by criminals to commit fraud.
As details about the payments breach that struck select supermarkets owned by Supervalu and AB Acquisition continue to unfold, security experts say it's likely this latest attack is linked to other recent merchant breaches (see: Supervalu: Linked to Other Breaches?).