Two months after Hy-Vee first discovered a data security breach that allowed criminals to steal the debit and credit card data of customers, the company has released information regarding the locations of the stores where the thefts occurred.
On Aug. 14, the company issued a press release stating the data breach only affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at โour grocery stores, drugstores and inside our convenience storesโ were at-risk, the company explained, because those sales are processed using a different, more secure system.
In that press release, Hy-Vee didn’t explain when the data breach had been detected, or the locations it had compromised. In its new press release, the company said it discovered malware harvesting customer card data on July 29, and provided a searchable online database of affected sites.
According to Hy-Vee, it shut down the malware at most locations on the same day it was first discovered. By then, customer data had been exposed to possible theft for seven to eight months.
Data security expert Brian Krebs reported on Aug. 22 that card data stolen from Hy-Vee was on sale at Joker’s Bazaar, a site that traffics in stolen card data.
โThe card account records sold by Jokerโs Stash, known as โdumps,โ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,โ Krebs explained. โBuyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.โ
Hy-Vee’s database lists eight locations that were infected by malware in Johnson County, and three in Linn County.
Johnson County
Iowa City
North Dodge Street Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Waterfront Hy-Vee: Pay at the Pump, infected from Dec. 14, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 29, 2019.
Eastside/1st Avenue Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 1, 2019
ย
Coralville
Lantern Park Plaza Hy-Vee: Pay at the Pump, infected from Dec. 17, 2018 to July 29, 2019; Market Grille, infected from Jan. 15, 2019 to July 16, 2019
Crosspark Road Hy-Vee: Market Grille, infected from Jan. 15, 2019 to July 29, 2019
ย
Linn County
Cedar Rapids
Wilson Avenue Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
Johnson Avenue Hy-Vee: Market Grille, infected Jan. 15, 2019 to July 29, 2019
ย
Marion
Marion Hy-Vee: Pay at the Pump, infected Dec. 14, 2018 to July 29, 2019
ย
In the press release accompanying the database, Hy-Vee did not disclose the total number of infected locations, but the database lists 37 cities in Iowa besides the four in Johnson and Linn. The chain has more than 245 stores in eight Midwestern states, and locations in all those states appear in the database.
Hy-Vee said โwe continue to support law enforcementโs investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.โ
The company advised customers who potentially had their card data stolen to monitor their card statements for unauthorized purchases.
I know that I purchased gas at the Marion HyVee at least once (maybe twice) during that time period, but I have not had any problems with my account. Should I still be concerned?
Hi Kathy,
It’s hard to know. It’s been less than two months since the stolen data was reported on sale at the Joker’s Stash, where people who want to use the numbers buy them in massive data “dumps.” A lot of those numbers will never end up being used, but it’s still worthwhile to check your statements every month, and immediately dispute any suspect charges.