Internet ‘bazaar’ announces it’s selling card data stolen in Hy-Vee data breach

  • 87

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Information from more than 5.3 million debit and credit cards stolen during a data breach at Hy-Vee went on sale this week at a site that traffics in stolen card data, according to security reporter Brian Krebs.

“According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name ‘Solar Energy,’ at the infamous Joker’s Stash carding bazaar,” Krebs reported on Thursday.

Hy-Vee announced last week that it was investigating a potential data breech at its fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). The company said in-store purchases, including those made at the supermarket’s check-out registers, were unaffected, because those transaction were conducted using a system with more sophisticated encryption.

“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs said. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”

According to Krebs, the stolen card data for sale belongs to people living in 35 states.

Krebs — who reported on internet security for the Washington Post for more than a decade, before creating his own news site, Krebs on Security — has reported extensively on Joker’s Stash.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are ‘exclusive, self-hacked dumps.’

‘This mean [sic] – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,’ Joker’s Stash explained on an introductory post on a carding forum in October 2014.

A Hy-Vee spokesperson told Krebs, “We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”

A spokesperson for the Iowa Attorney General told the Des Moines Register on Friday that Hy-Vee had not yet contacted the AG’s office. State law requires any company experiencing a data breach that affects 500 or more customers to contact the AG’s office.

Hy-Vee told both Krebs and the Register that it is continuing to investigate the data breach.

  • 87

Leave a Reply

Your email address will not be published. Required fields are marked *


A collaboration between The Englert Theatre and FilmScene


Help us build the greatest small city for the arts in America—right here in Iowa City. Learn more »

Donate Today

Strengthen • Grow • Evolve is a collaborative campaign led by two Iowa City-based arts nonprofits, The Englert Theatre and FilmScene that seeks a major reinvestment to strengthen the arts through modern and historic venues, innovative programming, and new models of collaboration.


Enjoy a tasting and drinks from the best chefs the area has to offer!

Presented by

Join us Saturday, February 15, 6 p.m.
@ Coralville Marriott Hotel & Conference Center

For 18 years...

Little Village has been telling the truth and changing our little corner of the world.

If you can, help us head into the next 18 years even stronger with a one-time or monthly contribution of $18, or any amount you choose.



America’s intimate festival experience featuring cutting-edge music, the Midwest’s premier indie book fair, and readings and community happenings across downtown Iowa City.