Advertisement

Hy-Vee announces locations of malware-infected sites where customer card data was stolen

  • 102
    Shares

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Two months after Hy-Vee first discovered a data security breach that allowed criminals to steal the debit and credit card data of customers, the company has released information regarding the locations of the stores where the thefts occurred.

On Aug. 14, the company issued a press release stating the data breach only affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at-risk, the company explained, because those sales are processed using a different, more secure system.

In that press release, Hy-Vee didn’t explain when the data breach had been detected, or the locations it had compromised. In its new press release, the company said it discovered malware harvesting customer card data on July 29, and provided a searchable online database of affected sites.

According to Hy-Vee, it shut down the malware at most locations on the same day it was first discovered. By then, customer data had been exposed to possible theft for seven to eight months.

Data security expert Brian Krebs reported on Aug. 22 that card data stolen from Hy-Vee was on sale at Joker’s Bazaar, a site that traffics in stolen card data.

“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs explained. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”

Hy-Vee’s database lists eight locations that were infected by malware in Johnson County, and three in Linn County.

Johnson County

Iowa City

North Dodge Street Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.

Waterfront Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.

Eastside/1st Avenue Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 1, 2019
 

Coralville

Lantern Park Plaza Hy-Vee: Pay at the Pump, infected from Dec. 17, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 16, 2019

Crosspark Road Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 29, 2019
 

Linn County

Cedar Rapids

Wilson Avenue Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019

Johnson Avenue Hy-Vee: Market Grille, infected Jan. 15, 2019 to July 29, 2019
 

Marion

Marion Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
 

In the press release accompanying the database, Hy-Vee did not disclose the total number of infected locations, but the database lists 37 cities in Iowa besides the four in Johnson and Linn. The chain has more than 245 stores in eight Midwestern states, and locations in all those states appear in the database.

Hy-Vee said “we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”

The company advised customers who potentially had their card data stolen to monitor their card statements for unauthorized purchases.


  • 102
    Shares

Comments:

  1. I know that I purchased gas at the Marion HyVee at least once (maybe twice) during that time period, but I have not had any problems with my account. Should I still be concerned?

    1. Hi Kathy,

      It’s hard to know. It’s been less than two months since the stolen data was reported on sale at the Joker’s Stash, where people who want to use the numbers buy them in massive data “dumps.” A lot of those numbers will never end up being used, but it’s still worthwhile to check your statements every month, and immediately dispute any suspect charges.

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisement

A collaboration between The Englert Theatre and FilmScene

STRENGTHEN
GROW•EVOLVE

Help us build the greatest small city for the arts in America—right here in Iowa City. Learn more »

Donate Today

Strengthen • Grow • Evolve is a collaborative campaign led by two Iowa City-based arts nonprofits, The Englert Theatre and FilmScene that seeks a major reinvestment to strengthen the arts through modern and historic venues, innovative programming, and new models of collaboration.

For 18 years...

Little Village has been telling the truth and changing our little corner of the world.

If you can, help us head into the next 18 years even stronger with a one-time or monthly contribution of $18, or any amount you choose.

Little Village
2019 Give Guide

Get to know some of the nonprofits helping to make the CRANDIC a better place to live.