Advertisement

Hy-Vee announces locations of malware-infected sites where customer card data was stolen

  • 102
    Shares

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Two months after Hy-Vee first discovered a data security breach that allowed criminals to steal the debit and credit card data of customers, the company has released information regarding the locations of the stores where the thefts occurred.

On Aug. 14, the company issued a press release stating the data breach only affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at-risk, the company explained, because those sales are processed using a different, more secure system.

In that press release, Hy-Vee didn’t explain when the data breach had been detected, or the locations it had compromised. In its new press release, the company said it discovered malware harvesting customer card data on July 29, and provided a searchable online database of affected sites.

According to Hy-Vee, it shut down the malware at most locations on the same day it was first discovered. By then, customer data had been exposed to possible theft for seven to eight months.

Data security expert Brian Krebs reported on Aug. 22 that card data stolen from Hy-Vee was on sale at Joker’s Bazaar, a site that traffics in stolen card data.

“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs explained. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”

Hy-Vee’s database lists eight locations that were infected by malware in Johnson County, and three in Linn County.

Johnson County

Iowa City

North Dodge Street Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.

Waterfront Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.

Eastside/1st Avenue Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 1, 2019
 

Coralville

Lantern Park Plaza Hy-Vee: Pay at the Pump, infected from Dec. 17, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 16, 2019

Crosspark Road Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 29, 2019
 

Linn County

Cedar Rapids

Wilson Avenue Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019

Johnson Avenue Hy-Vee: Market Grille, infected Jan. 15, 2019 to July 29, 2019
 

Marion

Marion Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
 

In the press release accompanying the database, Hy-Vee did not disclose the total number of infected locations, but the database lists 37 cities in Iowa besides the four in Johnson and Linn. The chain has more than 245 stores in eight Midwestern states, and locations in all those states appear in the database.

Hy-Vee said “we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”

The company advised customers who potentially had their card data stolen to monitor their card statements for unauthorized purchases.


  • 102
    Shares
Thoughts? Tips? A cute picture of a dog? Share them with LV » editor@littlevillagemag.com

Advertisement

Summer Programs 2020

Get 150+ local restaurants delivered to your door in the Iowa City & Cedar Rapids areas!

HAPPY BIRTHDAY TO US!

July 2020 marks Little Village’s 19th anniversary. With our community of readers alongside us, we’ll be ready for what the next 19 have in store.

BECOME A SUPPORTER:

Regular

$10/mo or $120/year
(AUTO-RENEW)
The cost of doing this work really adds up! Your contribution at this level will cover telephone and internet expenses for one month at the LV editorial offices.

Italic

$20/mo or $240/year
(AUTO-RENEW)
$240 is enough to cover one month’s costs for sending out our weekly entertainment newsletter, The Weekender. Make a contribution at this level to put a little more oomph on your support and your weekend.

Bold

$30/mo or $360/year
(AUTO-RENEW)
LittleVillageMag.com connects eastern Iowa culture with the world. Your contribution at this level will cover the site’s hosting costs for three months. A bold move for our boldest supporters!

All monthly and annual contributors receive:

  • Recognition on our Supporters page (aliases welcome)
  • Exclusive early access when we release new half-price gift cards
  • Access to a secret Facebook group where you can connect with other supporters and discuss the latest news and upcoming events (and maybe swap pet pics?) with the LV staff
  • Invitations to periodic publisher chats (held virtually for now) to meet with Matt and give him a piece of your mind, ask your burning questions and hear more about the future plans for Little Village, Bread & Butter Magazine, Witching Hour Festival and our other endeavors.