More than 5.3 million new
payment card accounts on sale at an underground data market may be tied to the
July data security event suffered by Hy-Vee Inc. at its fuel pumps, drive-thru
coffee shops and restaurants, a security researcher announced this week.
Card account records
from cardholders in 35 U.S. states are being sold under the name “Solar
Energy Breach” by Joker’s Stash, an online market known for selling
compromised accounts such as those at the previously compromised Hilton Hotels
and Bebe Stores, Brian Krebs at Krebs on Security reports.
Citing two unnamed
sources, one of which Krebs said works at “a major U.S. financial
institution,” Krebs reported at least some of the data in the “Solar
Energy” package is tied to the Hy-Vee security event.
The accounts are
being sold for between $17 and $35 a piece, Krebs wrote. The Joker’s Stash
listing appeared on Aug. 20.
Hy-Vee spokesperson
Tina Pothoff said the company is aware of the claim and is working with card
processors and the FBI.
“[Krebs] makes
note that this data dump comes from cards from 35 states and more than 100
countries. We’re in eight states in one country, [but] we’re still continuing
to investigate it,” Pothoff told the Business Record.
“As soon as we
can narrow down the scope of this and potentially locations that were impacted,
as well as potential cards that may have been impacted, then we will be reaching
out to customers and putting out a public statement as well,” Pothoff
said.
Hy-Vee employees
noticed internal discrepancies in late July and the company made its Aug. 14
announcement as soon as the security event was confirmed, Pothoff said.
“We are not at a
point where we are able to say locations or timeline, because we’re still in
the middle of that investigation,” Pothoff said. “Sometimes these
investigations can take several weeks … but we obviously are working as
efficiently as we can to try and get this completed so we can get additional
information to customers.”
In the initial announcement, Hy-Vee said it believes
payment transactions through grocery checkouts, wine and spirits departments,
floral departments, pharmacies and Aisles Online were not involved.