Incident Of The Week: Millions of Hy-Vee Customer Payment Cards Appear For Sale Online
Breach Of Payment Card Data Lifted From Fuel Pump, Coffee Shop, And Restaurant POS Machines
An online carding bazaar transaction of 5.3 million payment card details corroborated recent reports that Midwestern U.S. retailer Hy-Vee customers paying at the store’s fuel pumps, coffee shop drive-thrus, and restaurants could have fallen victim to the attack and subsequent data breach.
Hy-Vee operates more than 240 retail stores in eight Midwestern states, including Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin. Last week, the company announced it was investigating a payment card incident at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants where unauthorized activity on some of its payment processing systems had been detected. The timeframe for the breach and the scope of potential cardholders impacted is still under investigation.
These Hy-Vee locations have different point-of-sale systems (allowing for the card to be swiped rather than inserted and requiring additional user security input) than those located at the company’s grocery stores, drugstores, and inside its convenience stores, which utilize point-to-point encryption technology for processing payment card transactions. This point-to-point encryption technology protects card data by making it unreadable.
The online “dump” of payment card data appeared online under the breach codename “Solar Energy,” according to reports and images shared with blog Krebs on Security. Dump purchasers receive a file that can push out values to reprogrammable dummy credit card magnetic strips and replicate the physical card to perform fraudulent transactions.
Retailers have consistently remained a leading target for payment card fraud. As retail brands implement more security practices, we hear less about the “big box” stores, such as Dixons Carphone UK, Target, and Walmart, reporting these data breaches. Regional chains, such as Hy-Vee, become higher-value targets for attackers.
Hundreds of millions of credit cards and debit cards are in circulation within the United States. The transition from swiping the card’s magnetic strip to requiring a chip + PIN combination (EMV) has essentially been completed. However, the point-of-sale transaction machines have not been mandated to make the conversion. The risk of skimming (double swiping to “skim” the card info into a separate database) still exists at fuel pumps and other legacy transaction terminals.
PCI transaction compliance has demonstrated resiliency for payment card transactions that adhere to the EMV chip + PIN authorization process. The combination of skimming and non-chip POS terminals remains a channel for attackers to gleam payment card data from unsuspecting users.
See Related: Top 5 Cyber Security Breaches Of 2019 So Far