The cost of the massive payment card hack that struck Schnucks in recent months could cost the company $80 million in Illinois alone, according to a court filing.
In a motion filed last week, the Maryland Heights-based chain asked that a lawsuit against the company be heard in U.S. District Court for the Southern District of Illinois, rather than in St. Clair County Circuit Court, because the higher court can have jurisdiction when a plaintiff is claiming more than $5 million in damages.
At least three lawsuits seeking class action status have been filed against Schnuck Markets Inc. in the wake of the credit card breach that impacted an estimated 2.4 million cards, used at 79 stores, from early December to late March. Two of the suits have been filed in Missouri; one in Illinois.
The suits allege that Schnucks knew about the breach days, perhaps longer, before it revealed the hack, and should have told customers about it sooner. The suit filed in Illinois on April 25 says the breach cost customers time and money, requiring card holders to spend hours canceling and getting replacement cards, and re-setting automatic payments.
In its motion, filed Friday, Schnucks puts a figure on this effort, saying that an estimated 1.6 million card transactions took places at its 23 Illinois stores during the breach period, representing 500,000 unique cards — about one-fifth of the cards compromised in the breach overall.
Based on that figure, the company estimates that the potential class, if certified, could number 500,000 victims in Illinois. If each victim spent two hours dealing with the problem and was paid the federal minimum wage of $7.25, the total compensatory damages could tally $7.25 million, according to the filing.
Because the Illinois Supreme Court has approved a punitive damage ratio of punitive to compensatory damages of 11 to 1, punitive damages, in theory, could tally about $80 million.
“Removing the case to federal court does not mean that the defendant agrees with any of the plaintiffs’ claims or the amount of the damages being claimed,” said Lori Willis, Schnucks spokeswoman, in an email. “Just to be clear, there were no ‘admissions’ in the Schnucks filing.”
State law in both Missouri and Illinois says that any entity that stores or maintains personal data has to notify victims as soon as they become aware of a breach. But Schnucks has said that the data stolen from the cards included only credit card numbers and expiration dates — not names — and therefore, the company was not required to inform victims of the data theft.
The breach began in early December when malicious software, or malware, began lifting card data from the company’s system. The data was being accessed as the transactions were awaiting authorization within the company’s processing system.
The malware, the company said, was stripping data from the magnetic strip on the backs of cards. That strip contains different tracks that are read by card readers. The first track contains a person’s name; the second contains the card number and expiration date. The hackers, Schnucks said, accessed data on only the second stripe.
The company said it became aware on March 15 of questionable activity used on 12 cards used at its stores. On March 19 it hired Mandiant, a Virginia-based forensics firm, to conduct an investigation.
It confirmed the breach to the Post-Dispatch on March 22.
Schnucks located the source of the breach on March 28, and had executed a “containment plan” within 36 hours. The company issued its first news release on the matter March 30, saying the problem was “found and contained.”
After news of the breach emerged, dismayed Schnucks shoppers took to social media and elsewhere, accusing the company of failing to warn customers that their payment cards — either debit or credit — were still at risk.
At the time, law enforcement authorities advised customers to use cash rather than risk exposing their data to a potential breach.
In the ensuing weeks, the company issued a stream of apologies, including full-page ads in the Post-Dispatch and television spots featuring Chairman and CEO Scott Schnuck; but some customers said it was too little, too late.
Security experts interviewed by the Post-Dispatch say that hacks of this type are on the rise as hacker “gangs,” many based in Eastern Europe, go after smaller, regional businesses that they see as easy targets. Grocery store chains are especially vulnerable, some experts note, because they operate on thin margins and may not have the budgets to spend on data security.
In February, Arizona-based Bashas’, which operates 130 grocery stores, was hacked. In 2008 and 2009, Maine-based Hannaford Bros., which operated about 180 stores in New England, New York and Florida, was hacked, with 4.2 million payment cards numbers stolen within a three-month period.
In late March of this year, a federal judge denied class action status to a lawsuit against Hannaford, saying that members of the class did not prove damages on a class-wide basis. In legal circles, the decision suggested that obtaining class actions in data security cases could be increasingly difficult, largely because each member of the class is affected differently.
Schnucks is one of the largest privately held companies in St. Louis, employing nearly 11,000 in the area, and nearly 15,000 total. Revenue last year was about $2.5 billion.