A site of self-proclaimed “hacking merchants” currently has listed data for sale from more than 5.3 million credit and debit card accounts in 35 states.
That data reportedly came from the payment processing system breach Hy-Vee announced earlier this month, according to a Thursday post by Brian Krebs, a former computer security reporter with The Washington Post, on his blog Krebs on Security.
Krebs cites two sources who asked not to be identified, including one at a major U.S. financial institution, in reporting that the Hy-Vee account data is being listed under the pseudonym “Solar Energy” on Joker’s Cash — a carding website where users can pay Bitcoin for what the site has claimed are “exclusive, self-hacked dumps.”
“Dumps” of the alleged Hy-Vee data are priced at $17 to $35 apiece. These, Krebs writes, consist of text files with individual records that, if encoded onto a new magnetic stripe on a credit card-sized object, could be used to buy stolen merchandise.
In a statement to The Gazette, Hy-Vee spokeswoman Tina Pothoff said the company’s investigation is continuing.
“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” she said.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Pothoff said Hy-Vee will share more information once it confirms locations and customers who might have been impacted.
Hy-Vee announced Aug. 14 that its investigation began after it found unauthorized activity at some of its payment processing systems, affecting the grocer’s fuel pumps, coffee shops and restaurants, but not its grocery stores, drugstores or convenience stores.
The company did not indicate specific time frames or locations but said it believes its actions have stopped the unauthorized activity.
Based out of West Des Moines, Hy-Vee currently operates more than 245 retail stores across eight Midwestern states.
l Comments: (319) 398-8366; email@example.com