Business

Hackers listed stolen data from 5.3 million Hy-Vee customer accounts for sale online, report says

The Crosspark Road Hy-Vee store in Coralville on Monday, Oct. 15, 2018. (File photo/The Gazette)
The Crosspark Road Hy-Vee store in Coralville on Monday, Oct. 15, 2018. (File photo/The Gazette)
/

A site of self-proclaimed “hacking merchants” currently has listed data for sale from more than 5.3 million credit and debit card accounts in 35 states.

That data reportedly came from the payment processing system breach Hy-Vee announced earlier this month, according to a Thursday post by Brian Krebs, a former computer security reporter with The Washington Post, on his blog Krebs on Security.

Krebs cites two sources who asked not to be identified, including one at a major U.S. financial institution, in reporting that the Hy-Vee account data is being listed under the pseudonym “Solar Energy” on Joker’s Cash — a carding website where users can pay Bitcoin for what the site has claimed are “exclusive, self-hacked dumps.”

Previous site victims have included Sonic, Lord & Taylor, Chipotle and Whole Foods.

“Dumps” of the alleged Hy-Vee data are priced at $17 to $35 apiece. These, Krebs writes, consist of text files with individual records that, if encoded onto a new magnetic stripe on a credit card-sized object, could be used to buy stolen merchandise.

In a statement to The Gazette, Hy-Vee spokeswoman Tina Pothoff said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” she said.

ARTICLE CONTINUES BELOW ADVERTISEMENT

Pothoff said Hy-Vee will share more information once it confirms locations and customers who might have been impacted.

Hy-Vee announced Aug. 14 that its investigation began after it found unauthorized activity at some of its payment processing systems, affecting the grocer’s fuel pumps, coffee shops and restaurants, but not its grocery stores, drugstores or convenience stores.

The company did not indicate specific time frames or locations but said it believes its actions have stopped the unauthorized activity.

Based out of West Des Moines, Hy-Vee currently operates more than 245 retail stores across eight Midwestern states.

l Comments: (319) 398-8366; thomas.friestad@thegazette.com

Give us feedback

We value your trust and work hard to provide fair, accurate coverage. If you have found an error or omission in our reporting, tell us here.

Or if you have a story idea we should look into? Tell us here.