The lawsuit stems from a data breach at BJ's that was discovered in 2004 in which hackers gained access to the retailer's network and stole 9.2 million credit card numbers. Thieves subsequently racked up millions of dollars in transactions using the stolen cards. As a result of the breach, the credit unions, which originally issued the stolen MasterCard and Visa cards, had to pay costs associated with canceling the cards and reissuing new ones.After the breach was discovered, BJ's admitted that the transaction processing software it was using permanently stored magnetic stripe data from credit cards after transactions were completed, allowing cybercrooks to steal the data once they breached the merchant's network.
A year after the breach, roughly 70 credit unions and their insurance company, CUMIS Insurance Society, sued BJ's and Fifth Third. The plaintiffs claimed they were third-party beneficiaries of BJ's contract with Fifth Third, entitling them to relief for damages that resulted from the breach.
Also, the plaintiffs alleged that with each transaction that was submitted for approval, BJ's and Fifth Third falsely represented that they were contractually compliant to maintain the security of the credit unions' cardholder information.The case was previously dismissed by two lower courts, which found that BJ's contract with Fifth Third excluded enforcement of the contract by third parties. The credit unions were contesting the decisions in appeals court when the Supreme Court took up the case.