The cost of the massive payment card hack that hit the Schnucks supermarket chain in recent months could cost the company $80 million in Illinois alone.
Court records show Schnucks wants to move an Illinois lawsuit related to a security breach affecting credit and debit cards of its customers to a federal court.
Schnucks has said the breach of up to 2.4 million cards dated to December and came to light in March. The company said the lawsuit filed against them on behalf of a Belleville shopper is meritless.
Two of the suits have been filed in Missouri; one in Illinois.
The suits allege that Schnucks knew about the breach days, perhaps longer, before it revealed the hack, and should have told customers about it sooner. The suit filed in Illinois on April 25 says the breach cost customers time and money, requiring card holders to spend hours canceling and getting replacement cards, and re-setting automatic payments.
The St. Louis Post Dispatch reports state law in both Missouri and Illinois says that any entity that stores or maintains personal data has to notify victims as soon as they become aware of a breach. But Schnucks has said that the data stolen from the cards included only credit card numbers and expiration dates — not names — and therefore, the company was not required to inform victims of the data theft.
The breach began in early December when malicious software, or malware, began lifting card data from the company’s system. The data was being accessed as the transactions were awaiting authorization within the company’s processing system.
The malware, the company said, was stripping data from the magnetic strip on the backs of cards. That strip contains different tracks that are read by card readers. The first track contains a person’s name; the second contains the card number and expiration date. The hackers, Schnucks said, accessed data on only the second stripe.
The company said it became aware on March 15 of questionable activity used on 12 cards used at its stores. On March 19 it hired Mandiant, a Virginia-based forensics firm, to conduct an investigation.
It confirmed the breach to the Post-Dispatch on March 22.
Schnucks located the source of the breach on March 28, and had executed a “containment plan” within 36 hours. The company issued its first news release on the matter March 30, saying the problem was “found and contained.”