Hy-Vee Inc. released a new database for shoppers worried their credit or debit card information may be at risk from the payment data breach first reported on Aug. 14.
An investigation found malware designed to access payment card data from cards used at point-of-sale (POS) devices at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants, including Hy-Vee Market Grilles, Market Grille Expresses, Walburgers owned by Hy-Vee and the Hy-Vee West Des Moines corporate office cafeteria.
The malware was designed to access track data, which may include the cardholder’s name, card number, expiration date and internal verification code. Hy-Vee reported that the malware was not present on all POS devices at some locations. In a statement, Hy-Vee said the malware has been removed and the company is continuing to work with law enforcement’s investigation and payment card networks.
“It appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed,” Hy-Vee said.
Some cards may have been accessed as early as Nov. 9, 2018 at six locations, and as late as Aug. 2 at one location, which Hy-Vee did not name in its statement. Cards used at fuel pumps may have been accessed between Dec. 14, 2018 to July 29; cards used at restaurants and drive-thru coffee shops may have been accessed from Jan. 15-July 29. Hy-Vee will be contacting customers affected by mail or email, the company said.
In late August, a security researcher at Krebs on Security claimed card account records from the Hy-Vee incident may be part of a 5.3 million payment card dump on the data market Joker’s Stash. Hy-Vee did not confirm any ties to the Joker’s Stash listing.
At least five Market Grilles were affected at Des Moines Hy-Vees (2540 E. Euclid, 3221 S.E. 14th Street, 1107 E. Army Post Road and 420 Court Avenue), and one gas station’s pay-at-the-pump service (S.E. 14th Street) were affected. Consumers can search by city which locations were affected at www.hy-vee.com/paymentcardincident.