Too Much Credit

Millions of grocery shoppers, from Missouri to Arizona, are going through the hassle of getting new credit and debit cards after their information was stolen in a store security breach. Some are so upset, they’ve sued. But what do they really have to gain, other than years of litigation and perhaps a coupon at the end?

A month after the Arizona-based grocery chain Bashas’ announced a credit card security breach in its stores (read: “Another Reason to Consider Paying Cash”), St. Louis-based Schnucks announced a similar data hack in its own stores (read: “Fraud Alert: Police Warn Not to Use Credit Cards at Schnucks”). Bashas’, at least so far, hasn’t been sued. But Schnucks has – twice.

Two separate class action lawsuits seek unspecified damages from Schnucks. They also accuse the grocery chain of being negligent in failing to protect its customers’ payment data, and for not alerting customers as soon as it had an inkling there may have been a problem. “Schnucks’ response to the breach of its customers’ private financial information did not come until at least two weeks after Schnucks claims it first became aware of it,” one lawsuit reads, adding that the response Schnucks ultimately did offer “consisted of self-serving statements to reassure customers that it had ‘found and contained’ the issue.”

Schnucks argues that it wasn’t knowingly withholding information, but waiting until it had a handle on the full extent of the problem. Discovering that there was “a problem with a few cards and confirming a security breach are different things,” spokesperson Lori Willis told the St. Louis Post-Dispatch. Schnucks also denies negligence, claiming that since the hackers obtained only information and not names, that exempted the chain from having to immediately notify customers, under state law.

Many customers, and the plaintiffs in the dual lawsuits, aren’t buying those explanations. They say Schnucks should have immediately advised customers against using credit or debit cards during its investigation, instead of allowing cards to continue to be used and compromised.


Could Schnucks have done more? Quite possibly. Are the plaintiffs going to get much for their troubles? Possibly not.

Class-action lawsuits against retailers very often end in “coupon settlements”, in which members of the class action are offered a token coupon or other discount, while the lawyers get paid handsomely (read: “I Sued a Store And All I Got Was This Lousy Coupon”). That’s especially true when the plaintiffs can’t prove specific, actual damages. In one of the lawsuits against Schnucks, only one of the plaintiffs claims she was not reimbursed by her bank for a single $5 fraudulent charge, and otherwise suffered non-reimbursable hardships like being “forced to borrow money for groceries”.

In the absence of a specific dollar amount named by plaintiffs, they often get very little. In a lawsuit against the Maine-based Hannaford grocery chain that’s dragged on for years, a judge earlier this month denied class-action certification, because the plaintiffs failed to show how much out-of-pocket expenses they incurred as a result of a 2008 credit card breach. For cases that are ultimately settled, a 2012 Temple University study on data breach litigation found that the mean value of settlements awarded to plaintiffs was about $2,500, but “with most awards being a nominal amount… and often awarded to named plaintiffs only.” Attorney fees, however, amounted to a mean value of $1.2 million.

Interestingly, the study also found that goodwill on the part of an affected retailer can pay off. While many are criticizing Schnucks for not doing enough to warn its customers, and for a too-little-too-late public apology posted on the store’s website this week, the study found that the odds of a firm being sued in federal court are six times lower when the firm provides free credit monitoring following the breach. Both Bashas’ and Schnucks have encouraged customers to monitor their credit reports, but neither has offered free monitoring.

Yet free credit monitoring is about all that most customers of Michaels crafts stores are going to get in a settlement with that chain. In the settlement, which was granted final approval just yesterday, customers whose cards were compromised at certain locations in 2011 (find out if you’re eligible at MichaelsDataSettlement.com) can apply for “compensation and/or credit monitoring.” Those seeking compensation have to prove they suffered “out-of-pocket monetary loss.”

A voucher for free credit monitoring is not quite a “coupon”, but in the end, it’s similar to the all-too-familar “coupon settlements” – the plaintiffs get little, the lawyers get a lot. “Class Counsel and the Class Representatives will seek up to $1,200,000 as fees and up to $100,000 in reimbursement of litigation expenses,” the attorneys in the Michaels case write.

So if you ultimately join one of the cases against Schnucks, file a case against Bashas’, or are involved in a similar case in the future – enjoy the years worth of litigation, and the few bucks and/or coupon and credit monitoring you may ultimately receive. The lawyers who helped file the case, and cashed in as a result, will thank you.


  1. I really think it is just ridiculous people want to go after the retailer that was hacked. Nobody even cares about who actually hacked the system. Schnucks was just as much the victim as the customers. Everyone should be insured and if you are not i bet you Schnucks will pay whatever you lost. Why is your credit card insured? Maybe just for this reason. Because this could happen anywhere you use your card. And if you are worried someone can steal your identity they only need your name and address and I bet you put that all over the Internet.

  2. I was just informed by my credit card company that I was a victim of the Schnuck’s theft… more than a month after Schnuck’s allegedly discovered the theft, and three weeks after they “contained” the problem. I got ZERO notification from Schnuck’s that I was at risk. Now I have to clean up the mess, with the help of my credit card company. I don;t care of I get nothing from a class action lawsuit; it’ll be enough to know that Schnuck’s will be paying the lawyers for their lack of care with *my* precious credit information.

Leave a Reply

Your email address will not be published. Required fields are marked *


Privacy Policy
Disclosure Policy