Hackers listed stolen data from 5.3 million Hy-Vee customer accounts for sale online, report says

Aug. 23, 2019 4:02 pm, Updated: Aug. 23, 2019 4:50 pm

A site of self-proclaimed 'hacking merchants” currently has listed data for sale from more than 5.3 million credit and debit card accounts in 35 states.

That data reportedly came from the payment processing system breach Hy-Vee announced earlier this month, according to a Thursday post by Brian Krebs, a former computer security reporter with The Washington Post, on his blog Krebs on Security.

Krebs cites two sources who asked not to be identified, including one at a major U.S. financial institution, in reporting that the Hy-Vee account data is being listed under the pseudonym 'Solar Energy” on Joker's Cash - a carding website where users can pay Bitcoin for what the site has claimed are 'exclusive, self-hacked dumps.”

Previous site victims have included Sonic, Lord & Taylor, Chipotle and Whole Foods.

'Dumps” of the alleged Hy-Vee data are priced at $17 to $35 apiece. These, Krebs writes, consist of text files with individual records that, if encoded onto a new magnetic stripe on a credit card-sized object, could be used to buy stolen merchandise.

In a statement to The Gazette, Hy-Vee spokeswoman Tina Pothoff said the company's investigation is continuing.

'We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” she said.

Pothoff said Hy-Vee will share more information once it confirms locations and customers who might have been impacted.

Hy-Vee announced Aug. 14 that its investigation began after it found unauthorized activity at some of its payment processing systems, affecting the grocer's fuel pumps, coffee shops and restaurants, but not its grocery stores, drugstores or convenience stores.