In 2014, grocery stores operated by SuperValu, Inc, AB Acquisition, LLC, and New Albertsons, Inc. suffered two cyberattacks that allowed hackers to steal customers’ card information, including their names, credit or debit card account numbers, expiration dates, personal identification numbers, and card verification value codes. The stolen card information is distinct from the type of personally identifying information generally necessary to open a new fraudulent account, “such as social security numbers, birth dates, or driver’s license numbers.”
The defendants notified customers of the first attack, which occurred in late June and early July 2014, via a press release on August 14, 2014. On September 29, 2014, they announced a second attack, which took place in late August or early September 2014. The plaintiffs alleged that the two data breaches were connected and resulted from the stores’ failure to properly safeguard their customers’ personal information.
The Eighth Circuit Court of Appeals found that the plaintiffs failed to state a claim under Federal Rule12(b)(6) and dismissed the case.
The full opinion can be found by clicking here.
