Aug 19, 2019 | Consumer Protection, Employment & Technology Archive
Hy-Vee Supermarket Chain Issues “Notice of Payment Card Data Incident”
On August 14, 2019, Hy-Vee published a “Notice of Payment Card Data Incident,” which, among other things, stated that Hy-Vee is investigating:
. . . a security incident involving [its] payment processing systems that is focused on transactions at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants, as well as to provide information on the measures [Hy-Vee has] taken in response and steps customers may consider taking as well.
After recently detecting unauthorized activity on some of [its] payment processing systems, [Hy-Vee] immediately began an investigation with the help of leading cybersecurity firms. [Hy-Vee] also notified federal law enforcement and the payment card networks. [Hy-Vee believes] the actions [it has] taken [has] stopped the unauthorized activity on [its] payment processing systems. [Hy-Vee’s] investigation is focused on card transactions at our fuel pumps, drive-thru coffee shops, and restaurants (which include our Market Grilles, Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates). These locations have different point-of-sale systems than those located at [Hy-Vee] grocery stores, drugstores and inside [its] convenience stores, which utilize point-to-point encryption technology for processing payment card transactions. This encryption technology protects card data by making it unreadable. Based on [Hy-Vee’s] preliminary investigation, [Hy-Vee believes] payment card transactions that were swiped or inserted on these systems, which are utilized at [its] front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved. [Emphasis added.]
On August 15, 2019, supermarketnews.com reported (“Hy-Vee notifies customers of payment data breach“) that
Supermarket chain Hy-Vee has revealed that the credit card payment information of some of its customers has been exposed in a recent data breach. The exact number of customers and locations has not yet been determined.
The West Des Moines, Iowa-based operator of 245 stores says there was a “security incident” involving the payment processing systems at its fuel pumps, drive-through coffee shops and restaurants. The restaurants include its Market Grilles, Market Grille Express and company-owned Wahlburgers locations operating at its stores. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 14, 2019 | Securities Class Action Archive
A class action lawsuit has been filed in United States District Court on behalf of individuals and entities that purchased, or otherwise acquired, the securities of ProPetro Holding Corp. (“ProPetro” or the “Company”) (NYSE: PUMP) a) pursuant and/or traceable to the registration statement and prospectus (collectively, the “Registration Statement”) issued in connection with ProPetro’s March 2017 initial public offering (“IPO”); and/or b) between March 17, 2017 and August 8, 2019, inclusive (the “Class Period”).
The lawsuit is pursuing claims under Sections 11 and 15 of the Securities Act of 1933 and Sections 10(b) and 20(a) of the Securities Exchange Act of 1934.
If you purchased ProPetro securities and suffered losses, please contact either John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected], or Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], to learn more about the lawsuit or the securities investigation.
In March 2017, ProPetro concluded its IPO, in which it sold 25 million shares of common stock at $14.00 per share.
On August 8, 2019, after the market closed, ProPetro issued a press release delaying its second quarter earnings conference call and quarterly report, citing an ongoing review by its audit committee.
Specifically, ProPetro announced its “. . . preliminary financial and operational results for the second quarter of 2019 and delayed its second quarter earnings conference call in order to allow additional time to complete its Quarterly Report on Form 10-Q for the three months ended June 30, 2019 (the “Form 10-Q”).” [Emphasis added.]
The Company also stated that
[t]he delay in the Form 10-Q is due to an ongoing review by the audit committee of the Company’s board of directors which initially focused on the disclosure of agreements previously entered into by the Company with AFGlobal for the purchase of Durastim® hydraulic fracturing fleets and effective communications related thereto. A corrective release regarding these agreements which addressed the disclosure issue was previously issued on June 28, 2019.
As part of the review, the audit committee expanded its work to include, among other items, expense reimbursements and certain transactions involving related parties or potential conflicts of interest, as described in the Company’s current report on Form 8-K filed today, August 8, 2019. While the additional work has resulted in the reversal of certain expense reimbursements, the establishment of a disclosure committee and other improvements, the audit committee and management have not identified to date any items that would require revision or restatement of the Company’s historical financial statements. The audit committee expects to complete its review within the next 30 days. [Emphasis added.]
On this news, the Company’s stock price fell $4.59 per share, or over 26%, to close at $12.75 per share on August 9, 2019, thereby injuring investors.
By the time of the class action lawsuit, ProPetro stock traded as low as $11.44 per share, a decline of approximately 18% from the $14 per share IPO price.
The class action complaint alleges that throughout the Class Period, ProPetro Defendants made materially false and/or misleading statements, as well as failed to disclose material adverse facts about ProPetro’s business, operations, and prospects. Specifically, ProPetro Defendants failed to disclose to investors: (1) that ProPetro’s executive officers were improperly reimbursed for certain expenses; (2) that the Company had engaged in certain undisclosed transactions with related parties; (3) that the Company lacked adequate disclosure controls and procedures; (4) that ProPetro lacked effective internal control over financial reporting; and (5) that, as a result of the foregoing, Defendants’ positive statements about ProPetro’s business, operations, and prospects, were materially misleading and/or lacked a reasonable basis.
ProPetro shareholders who suffered losses are encouraged to contact either John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected], or Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], to learn more about the lawsuit or the securities investigation.
Aug 9, 2019 | Consumer Protection, Employment & Technology Archive
StockX Reports That an Unknown Third-Party Gained Access to Customer Data
On August 3, 2019, StockX, “the world’s first stock market for things – a live ‘bid/ask’ marketplace,”posted that StockX was
. . . alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, [StockX] immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though [StockX’s] investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From [StockX’s] investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted. [Emphasis added.]
StockX’s ”Notice of Data Breach” sent to its customers stated, among other things, the following:
What Happened?
On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. [StockX] immediately launched a forensic investigation and engaged experienced third-party experts to assist. During this first week, while [StockX’s] forensic investigation into the suspicious activity was underway, [StockX] took proactive and precautionary measures to protect our customers. As described in greater detail . . . below, [StockX] deployed a system-wide update, implemented a full password reset of all customer passwords for all StockX accounts, and on the morning of August 1, 2019 sent customers an email alerting them to the systems update and password reset.
As [StockX’s] investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from [StockX’s] cloud environment on or around May 14, 2019. [StockX] worked swiftly to issue an email update of the matter to [StockX’s] customers and are now making this notification to further apprise you of additional facts from our investigation.
As part of [StockX’s] efforts to catch the perpetrator, [StockX has] contacted law enforcement and [has] been working with them in their investigation of the incident. [The] investigation into the nature, extent, and scope of the incident remains ongoing, and [StockX] will update you with additional information as necessary.
What Information Was Involved?
From [StockX’s] investigation to date, the information affected may include your name, email address, address, username, hashed password, and purchase history.
As indicated in [StockX’s] prior communications, there is no evidence to date to suggest that any of your financial or payment information has been affected. That is because StockX does not store full payment card or financial data of its customers on its network servers or platform. Instead, any StockX payment card data is processed, stored, and hosted by a third-party payment processor, and not StockX. Based on [StockX’s] investigation to date, [StockX has] no evidence to suggest that [its] third-party payment processing partners or [its] third-party platform has been affected by this incident, nor [does StockX] have any evidence to suggest that any of the customer financial or payment information stored by that third-party has been affected. [Emphasis added.]
Customer Data of Millions Reportedly Exposed by the Data Hack
Techcrunch.com reported [“StockX was hacked, exposing millions of customers’ data”] the following:
It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.
The fashion and sneaker trading platform pushed out a password reset email to its users . . . citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.
A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.
But that wasn’t the whole truth.
An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.
In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.
The seller provided TechCrunch a sample of 1,000 records. [TechCrunch] contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.
The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 8, 2019 | Securities Class Action Archive
Kehoe Law Firm, P.C. is investigating potential claims on behalf of shareholders of Grubhub Inc. (“Grubhub” or the “Company”) (NYSE: GRUB) to determine whether Grubhub and certain Grubhub officers or directors breached fiduciary duties owed to Grubhub and the Company’s investors.
On July 11, 2019, the New York Post reported that New York City council member Mark Gjonaj (“Gjonaj”) asked New York’s Attorney General, Letitia James, to commence an antitrust probe of Grubhub. Specifically, the New York Post reported that the “time may have come” for New York’s Attorney General “to revisit the terms of a 2013 settlement agreement that cleared the way for Grubhub’s acquisition of Seamless.” In a letter obtained by the New York Post, Gjonaj stated that he “believe[d] that Grubhub’s outsized market share and heavy-handed tactics could lead artificially reduced competition which in turn my drive up the commissions paid by struggling locally owned restaurants.”
The New York Post also reported that “[i]n June, the City Council held a hearing on how Grubhub charges fees as high as 30% for its services and questioned Grubhub executives about [t]he [New York Post’s] reports that the company charged restaurants thousands of dollars in commissions for phone orders that never happened.”
Additionally, the New York Post reported that “New York’s Liquor Authority was developing new rules that will significantly curb the delivery industry’s ability to charge double-digit percentages for online ordering and delivery.” This news, according to the New York Post, “sent Grubhub’s shares down 4%, to $74 a share.”
If you purchased Grubhub securities, please contact either John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected], or Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], to learn more about the Grubhub shareholder investigation.
Aug 8, 2019 | Consumer Protection, Employment & Technology Archive
State Farm Data Breach – “Bad Actor” Was Able to Confirm Valid Online Account Usernames and Passwords
On August 7, 2019, zdnet.com reported (“State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack”) that State Farm “suffered a credential stuffing attack in July and is now notifying impacted customers.”
The zdnet.com story reported that
US banking and insurance giant State Farm said it suffered a credential stuffing attack during which “a bad actor” was able to confirm valid usernames and passwords for State Farm online accounts.
State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor. The company is now notifying affected customers.
A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. However, the company did not respond to a direct question asking about the number of impacted accounts. [Emphasis added.]
According to zdnet.com, “[c]redential stuffing attacks are when hackers take username and password combinations that have been made public through security breaches at other companies, and use them to gain access to accounts on other services, hoping that users had reused passwords across accounts.” Further, zdnet.com reported that
[c]ompanies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin’ Donuts, tax filing service TurboTax, and UK telco Sky have all publicly acknowledged being on the receiving end of credential stuffing attacks in the past year alone.
Hackers typically use credential stuffing attacks to confirm passwords for online accounts, which they later resell online, on hacking forums or on the dark web. [Emphasis added.]
State Farm’s “Submitted Breach Notification Sample,” submitted to the California Attorney General, among other things, stated:
State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.
. . .
During the attempted access, the bad actor received confirmation of a valid user name and password for your account. No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred. [Emphasis added.]
Additionally, State Farm’s data breach notice stated that State Farm reset passwords “in an effort to prevent additional attempts by the bad actor.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
