After a two-month investigation, Hy-Vee determined that point-of-sale malware was behind a data breach discovered this summer that exposed customer payment card information.
Hy-Vee said yesterday that the probe, assisted by leading cybersecurity firms, identified malware infecting POS devices at certain Hy-Vee fuel pumps, drive-through coffee shops and restaurants. The latter included Hy-Vee Market Grille, Hy-Vee Market Grille Express and Hy-Vee owned-and-operated Wahlburgers locations, as well as the cafeteria at the grocer’s West Des Moines, Iowa, headquarters.
Hy-Vee didn’t provide an estimate of the number of customers who might have been affected by the breach. However, the company noted that payment card transactions weren’t impacted at front-end checkout lanes, inside convenience stores, pharmacies and clinics, customer service counters, wine and spirits locations and floral departments. All other foodservice areas that use point-to-point encryption technology and transactions processed via Aisles Online also weren’t affected by the malware.
“During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data,” Hy-Vee said in a statement.
Designed to tap into payment card information exchanged at the point of sale, the malware searched for track data read from a card as it was being routed through the POS device, Hy-Vee explained. That data sometimes included the cardholder name, card number, expiration date and internal verification code. At some locations, the malware wasn’t present on all POS devices and didn’t copy data from all payment cards used while it was on the device, the retailer said, adding there was no signs that other customer information was accessed.
Hy-Vee first reported the payment card incident on Aug. 14 and, during its investigation, found that the breach stretched back to late last year. The company said it began its probe, and enlisted the aid of cybersecurity specialists, immediately after detecting unauthorized activity on some payment processing systems on July 29. Federal law enforcement and payment card networks also were notified.
Though varying by location, the specific time frames when card data may have been accessed by the malware run from Dec. 14, 2018, to July 29, 2019, for fuel pumps and from Jan. 15 to July 29, 2019, for restaurants and drive-through coffee shops, Hy-Vee reported. Malware access to card data may have started as early as Nov. 9, 2018, at six locations, and continued through August 2, 2019, at another location, the company said.
Locations were affected across Hy-Vee’s eight-state Midwestern market area. Overall, the retailer operates more than 260 food, drug and convenience stores in Iowa, Illinois, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.
“We continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring,” Hy-Vee stated.
To notify customers identified as having used their card at a location affected by the malware, Hy-Vee said it will mail them a letter or send them an email, as long as it has their contact information. The company is urging customers to immediately report any unauthorized charges to their card issuer and has set up web pages providing more information about the payment card incident and other steps that consumers can take to check for possible unauthorized transactions and exposure of personal data.