Hy-Vee Security Breach Could Involve 5M-Plus Accounts

DES MOINES — Just two weeks after Hy-Vee Inc. announced the launch of an investigation into a security incident involving its payment processing systems, a security blog is alleging that more than 5 million accounts may have been affected.

Security blog KrebsonSecurity reported that as of Tuesday, Aug. 20, a popular underground site that sells stolen credit and debit card data placed more than 5.3 million new accounts belonging to cardholders from 35 U.S. states up for sale, according to Convenience Store News sister publication Chain Store Age.

Anonymous sources told KrebsonSecurity that the card data is being illegally sold under the code name "Solar Energy" on a stolen card site known as "Joker's Stash."

Aaron Branson, vice president of Netsurion, a provider of network connectivity, security and compliance solutions, said this incident reveals new methods hackers are using to gain access to consumer payment card data.

"The Hy-Vee data breach is further evidence that hackers targeting credit card data are shifting tactics," Branson said. "As others have noted, they are moving downstream from big box retailers to smaller, more plentiful, and probably less secure merchants. And with that, they are also changing tactics to be more lucrative and efficient by attacking POS system vendors who serve many such retailers.

"In the case of Hy-Vee, locations of various types and brands were breached, but they all may have used a specific POS system. To protect against this new approach, POS system vendors and integrators would be wise to embed greater security like endpoint threat detection and response to monitor anomalous activity on these critical systems," he added.

As Convenience Store News previously reported, Hy-Vee announced that it recently detected unauthorized activity involving its payment processing systems, including card readers at its fuel pumps, drive-thru coffee shops and restaurants at its Market Grilles, Market Grille Expresses and the Wahlburgers locations that it owns and operates.

Hy-Vee does not believe that card readers at its convenience stores, grocery stores or drug stores, which use different point-of-sale systems, were compromised. Transactions processed through the Aisles Online ordering system are also not believed to have been affected.

The company notified federal law enforcement officials and payment card networks. It advised customers to monitor their payment card statements for unauthorized activity and immediately notify the financial institution that issued the card if any is discovered.

Des Moines-based Hy-Vee operates both convenience stores and grocery stores in Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Hy-Vee Food Stores Inc. was no. 47 on the 2019 Convenience Store News Top 100 list.

Convenience Store News and Chain Store Age are properties of EnsembleIQ