Incident Of The Week UPDATE: Hy-Vee Details Investigation Into 2019 Payment Card Data Breach

Breach Of 5 Million Payment Cards Lifted From Fuel Pump, Coffee Shop, And Restaurant POS Machines

Add bookmark

Jeff Orr


Midwestern U.S. retailer Hy-Vee disclosed investigation findings this week from a data breach announced in mid-August impacting millions of customers utilizing its food and service point-of-sale (PoS) transaction machines.

The investigation identified the operation of malware designed to access payment card data from cards used on PoS devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include the company’s Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates). The Hy-Vee corporate cafeteria in West Des Moines, Iowa was also part of the malware infestation.

The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the PoS device. However, for some locations, the malware was not present on all PoS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given PoS device. The investigation found no indication that other customer information was accessed.

See Related: Incident Of The Week: Millions Of Hy-Vee Customer Payment Cards Appear For Sale Online

The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019. A list of the locations involved and specific timeframes is accessible from the company’s website. Hy-Vee is also sending notification to affected customers where contact information is available.

Payment card transactions were not involved at Hy-Vee front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.

During the investigation, the company worked with cyber security experts to remove the malware and implement enhanced security measures, and it continues to work to evaluate additional ways to enhance the security of payment card data. In addition, Hy-Vee continues to support law enforcement’s investigation and it is working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.

Background On The Initial Data Breach Disclosure

An online carding bazaar transaction of 5.3 million payment card details corroborated recent reports that Midwestern U.S. retailer Hy-Vee customers paying at the store’s fuel pumps, coffee shop drive-thrus, and restaurants could have fallen victim to the attack and subsequent data breach.

Hy-Vee operates more than 240 retail stores in eight Midwestern states, including Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin. In August, the company announced it was investigating a payment card incident at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants where unauthorized activity on some of its payment processing systems had been detected.

These Hy-Vee locations have different PoS systems (allowing for the card to be swiped rather than inserted and requiring additional user security input) than those located at the company’s grocery stores, drugstores, and inside its convenience stores, which utilize point-to-point encryption technology for processing payment card transactions. This point-to-point encryption technology protects card data by making it unreadable.

See Related: Incident Of The Week: 567K Accounts Exposed In Cheddar’s Restaurant Breach

The online “dump” of payment card data appeared online under the breach codename “Solar Energy,” according to reports and images shared with blog Krebs on Security. Dump purchasers receive a file that can push out values to reprogrammable dummy credit card magnetic strips and replicate the physical card to perform fraudulent transactions.

Retailers have consistently remained a leading target for payment card fraud. As retail brands implement more security practices, we hear less about the “big box” stores, such as Dixons Carphone UK, Target, and Walmart, reporting these data breaches. Regional chains, such as Hy-Vee, become higher-value targets for attackers.

See Related: Cyber Pros Offer Insight On Credit Card Fraud, Mobile Payments & Data Scandal

cyber_payment_card_Hundreds of millions of credit cards and debit cards are in circulation within the United States. The transition from swiping the card’s magnetic strip to requiring a chip + PIN combination (EMV) has essentially been completed. However, the point-of-sale transaction machines have not been mandated to make the conversion. The risk of skimming (double swiping to “skim” the card info into a separate database) still exists at fuel pumps and other legacy transaction terminals.

PCI transaction compliance has demonstrated resiliency for payment card transactions that adhere to the EMV chip + PIN authorization process. The combination of skimming and non-chip PoS terminals remains a channel for attackers to gleam payment card data from unsuspecting users.

See Related: Top 5 Cyber Security Breaches Of 2019 So Far