Hy-Vee has released the locations the retail chain has determined were affected by a cyber breach.
Investigators found that malware had been in operation, designed to search for track data — sometimes entailing cardholder names, card numbers, expiration dates and internal verification codes — as it was routed through point-of-sale devices, Hy-Vee said in a news release.
The grocer first announced Aug. 14 that the breach affected some of its fuel pumps, drive-through coffee shops and restaurants, including Market Grilles, Market Grille Expresses and Wahlburgers locations, plus the cafeteria at the company’s West Des Moines headquarters, though not its grocery stores, drugstores or convenience stores, which use encryption technology.
Precisely when card data might have been breached, and where, varied among Hy-Vee’s locations. At six locations, card data might have been accessed as early as Nov. 9, 2018, and, at one location, as recently as Aug. 2.
Hy-Vee first detected the unauthorized activity on July 29 and enlisted cybersecurity companies to look into the breach.
The affected Corridor locations include:
In Cedar Rapids
• Market Grille — 1843 Johnson Ave. NW (Jan. 15 through July 29)
• Pay at the Pump — 2300 Bowling St. (Dec. 14 through July 29)
• Market Grille — 1914 Eighth St. (Jan. 15 through July 16)
• Market Grille — 3285 Crosspark Rd. (Jan. 15 through July 29)
ARTICLE CONTINUES BELOW ADVERTISEMENT
• Pay at the Pump — 2025 Second St. (Dec. 17 through July 29)
In Iowa City
• Market Grille — 1720 Waterfront Drive (Jan. 15 through July 29)
• Market Grille — 812 South First Ave. (Jan. 15 through July 1)
• Market Grille — 1125 N. Dodge St. (Jan. 15 through July 29)
• Pay at the Pump — 260 Stevens Drive (Dec. 14 through July 29)
• Pay at the Pump — 1103 N. Dodge St. (Dec. 14 through July 29)
• Pay at the Pump — 3550 Highway 151 E. (Dec. 14 through July 29).
The malware was not present on all point-of-sale devices at some locations and appears not to have copied data from all payment cards used while active on a given device, Hy-Vee said.
Other customer information is not believed to have been accessed.
Hy-Vee said it removed the malware, enhanced its security measures and is continuing to consult cybersecurity experts as to how to further strengthen protections for payment card data.
The West Des Moines-based retailer is cooperating with law enforcement’s investigation and working with payment card networks so issuing banks can continue heightened account monitoring.
Self-proclaimed “hacking merchants” at carding bazaar Joker’s Stash allegedly listed Hy-Vee account data for sale online, with “dumps” priced at $17 to $35 apiece, reported former Washington Post computer security journalist Brian Krebs on his Krebs on Security blog in August.
Krebs cited two unnamed sources, including one at a major U.S. financial institution.
In an email Friday, Hy-Vee spokeswoman Tina Potthoff said law enforcement is aware of the reported digital listing, adding, “We are letting the authorities handle any investigation into information that may be on the dark web.”
Hy-Vee does not have sufficient information to determine the names and addresses for all customers who used cards at stores implicated in the breach, nor can it identify how many Iowa residents used a card during that time frame, the company said in a required incident notification letter it sent the state Attorney General’s Office on Thursday.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Customers for whom Hy-Vee does have contact information, however, will receive either a mailed letter or email if the grocer finds that they used cards at breached locations, the company said.
Hy-Vee created a tool for customers to search whether a specific store was affected, and how, at hy-vee.com/paymentcardincident.
Comments: (319) 398-8366; firstname.lastname@example.org