A massive credit card breach at a Missouri-based grocery store chain could end up cost $80 million in Illinois alone, according to a court motion filed last week. So far, at least three lawsuits seeking class action status have been filed against Schnucks Markets, Inc., alleging a breach that has affected 2.4 million cards used at 79 stores between early December and late March.
As the St. Louis Dispatch reports:
The suits allege that Schnucks knew about the breach days, perhaps longer, before it revealed the hack, and should have told customers about it sooner. The suit filed in Illinois on April 25 says the breach cost customers time and money, requiring card holders to spend hours canceling and getting replacement cards, and re-setting automatic payments.
In its motion, filed Friday, Schnucks puts a figure on this effort, saying that an estimated 1.6 million card transactions took places at its 23 Illinois stores during the breach period, representing 500,000 unique cards — about one-fifth of the cards compromised in the breach overall.
Plaintiffs argue that state law in Missouri and Illinois says that any store that stores personal data relating to customers must notify those customers as soon as the store becomes aware of a breach. Schnucks, however, says that the data stolen from customer credit cards included card numbers and expiration dates, not names, meaning they were not required to notify victims. It can be said that this looks bad on Schnucks — customer service-wise and reputation-wise.
The case is likely to head to the U.S. District Court for the Southern District of Illinois.
Relatively speaking, $80 million is nothing compared to, say, the Heartland Payments Systems security breach of 2008, which resulted in the theft of information from more than 100 million credit and debit cards and a 20-year prison sentence for the perpetrator. But even that doesn’t compare to this list of the top five most expensive data breaches.