Skip navigation

Hy-Vee notifies customers of payment data breach

Retailer detected unauthorized activity on its payment processing system

Supermarket chain Hy-Vee has revealed that the credit card payment information of some of its customers has been exposed in a recent data breach. The exact number of customers and locations has not yet been determined.

The West Des Moines, Iowa-based operator of 245 stores says there was a "security incident" involving the payment processing systems at its fuel pumps, drive-through coffee shops and restaurants. The restaurants include its Market Grilles, Market Grille Express and company-owned Wahlburgers locations operating at its stores.

In a statement released yesterday, Hy-Vee said, “After recently detecting unauthorized activity on some of our payment processing systems, we immediately began an investigation with the help of leading cybersecurity firms. We also notified federal law enforcement and the payment card networks. We believe the actions we have taken have stopped the unauthorized activity on our payment processing systems.”

The company added that the investigation is focused on card transactions at the fuel pumps, coffee shops and restaurants, which have different point-of-sale systems than those located at Hy-Vee grocery stores, drugstores and inside convenience stores. Those systems utilize point-to-point encryption technology for processing payment card transactions, which protects card data by making it virtually unreadable.

“Based on our preliminary investigation,” Hy-Vee said, “we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other foodservice areas, as well as transactions processed through Aisles Online, are not involved.”

Because the investigation is in its earliest stages, Hy-Vee did not have any additional details to provide at this time. The retailer will provide notification to its customers regarding specific time frames and locations that may have been involved as that information becomes available.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.