Two months after Hy-Vee first discovered a data security breach that allowed criminals to steal the debit and credit card data of customers, the company has released information regarding the locations of the stores where the thefts occurred.
On Aug. 14, the company issued a press release stating the data breach only affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at-risk, the company explained, because those sales are processed using a different, more secure system.
In that press release, Hy-Vee didn’t explain when the data breach had been detected, or the locations it had compromised. In its new press release, the company said it discovered malware harvesting customer card data on July 29, and provided a searchable online database of affected sites.
According to Hy-Vee, it shut down the malware at most locations on the same day it was first discovered. By then, customer data had been exposed to possible theft for seven to eight months.
Data security expert Brian Krebs reported on Aug. 22 that card data stolen from Hy-Vee was on sale at Joker’s Bazaar, a site that traffics in stolen card data.
“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs explained. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”
Hy-Vee’s database lists eight locations that were infected by malware in Johnson County, and three in Linn County.
North Dodge Street Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Waterfront Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Eastside/1st Avenue Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 1, 2019
Lantern Park Plaza Hy-Vee: Pay at the Pump, infected from Dec. 17, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 16, 2019
Crosspark Road Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 29, 2019
Wilson Avenue Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
Johnson Avenue Hy-Vee: Market Grille, infected Jan. 15, 2019 to July 29, 2019
Marion Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
In the press release accompanying the database, Hy-Vee did not disclose the total number of infected locations, but the database lists 37 cities in Iowa besides the four in Johnson and Linn. The chain has more than 245 stores in eight Midwestern states, and locations in all those states appear in the database.
Hy-Vee said “we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
The company advised customers who potentially had their card data stolen to monitor their card statements for unauthorized purchases.