Information from more than 5.3 million debit and credit cards stolen during a data breach at Hy-Vee went on sale this week at a site that traffics in stolen card data, according to security reporter Brian Krebs.
“According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name ‘Solar Energy,’ at the infamous Joker’s Stash carding bazaar,” Krebs reported on Thursday.
Hy-Vee announced last week that it was investigating a potential data breech at its fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). The company said in-store purchases, including those made at the supermarket’s check-out registers, were unaffected, because those transaction were conducted using a system with more sophisticated encryption.
“The card account records sold by Joker’s Stash, known as ‘dumps,’ apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece,” Krebs said. “Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.”
According to Krebs, the stolen card data for sale belongs to people living in 35 states.
Krebs — who reported on internet security for the Washington Post for more than a decade, before creating his own news site, Krebs on Security — has reported extensively on Joker’s Stash.
Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.
Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are ‘exclusive, self-hacked dumps.’
‘This mean [sic] – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,’ Joker’s Stash explained on an introductory post on a carding forum in October 2014.
A Hy-Vee spokesperson told Krebs, “We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”
A spokesperson for the Iowa Attorney General told the Des Moines Register on Friday that Hy-Vee had not yet contacted the AG’s office. State law requires any company experiencing a data breach that affects 500 or more customers to contact the AG’s office.
Hy-Vee told both Krebs and the Register that it is continuing to investigate the data breach.
