Sponsored By

Hy-Vee says malware caused payment card data breach

Point-of-sale devices affected at fuel, drive-through coffee, restaurant locations

Russell Redman

October 4, 2019

3 Min Read
Supermarket News logo in a gray background | Supermarket News

After a two-month investigation, Hy-Vee determined that point-of-sale malware was behind a data breach discovered this summer that exposed customer payment card information.

Hy-Vee said yesterday that the probe, assisted by leading cybersecurity firms, identified malware infecting POS devices at certain Hy-Vee fuel pumps, drive-through coffee shops and restaurants. The latter included Hy-Vee Market Grille, Hy-Vee Market Grille Express and Hy-Vee owned-and-operated Wahlburgers locations, as well as the cafeteria at the grocer’s West Des Moines, Iowa, headquarters.

Hy-Vee didn’t provide an estimate of the number of customers who might have been affected by the breach. However, the company noted that payment card transactions weren’t impacted at front-end checkout lanes, inside convenience stores, pharmacies and clinics, customer service counters, wine and spirits locations and floral departments. All other foodservice areas that use point-to-point encryption technology and transactions processed via Aisles Online also weren’t affected by the malware.

“During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data,” Hy-Vee said in a statement.

Related:Hy-Vee notifies customers of payment data breach

Designed to tap into payment card information exchanged at the point of sale, the malware searched for track data read from a card as it was being routed through the POS device, Hy-Vee explained. That data sometimes included the cardholder name, card number, expiration date and internal verification code. At some locations, the malware wasn’t present on all POS devices and didn’t copy data from all payment cards used while it was on the device, the retailer said, adding there was no signs that other customer information was accessed.

Hy-Vee first reported the payment card incident on Aug. 14 and, during its investigation, found that the breach stretched back to late last year. The company said it began its probe, and enlisted the aid of cybersecurity specialists, immediately after detecting unauthorized activity on some payment processing systems on July 29. Federal law enforcement and payment card networks also were notified.

Though varying by location, the specific time frames when card data may have been accessed by the malware run from Dec. 14, 2018, to July 29, 2019, for fuel pumps and from Jan. 15 to July 29, 2019, for restaurants and drive-through coffee shops, Hy-Vee reported. Malware access to card data may have started as early as Nov. 9, 2018, at six locations, and continued through August 2, 2019, at another location, the company said.

Related:Kings boosts its cybersecurity defense

Locations were affected across Hy-Vee’s eight-state Midwestern market area. Overall, the retailer operates more than 260 food, drug and convenience stores in Iowa, Illinois, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

“We continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring,” Hy-Vee stated.

To notify customers identified as having used their card at a location affected by the malware, Hy-Vee said it will mail them a letter or send them an email, as long as it has their contact information. The company is urging customers to immediately report any unauthorized charges to their card issuer and has set up web pages providing more information about the payment card incident and other steps that consumers can take to check for possible unauthorized transactions and exposure of personal data.

About the Author

Russell Redman

Senior Editor
Supermarket News

Russell Redman has served as senior editor at Supermarket News since April 2018, his second tour with the publication. In his current role, he handles daily news coverage for the SN website and contributes news and features for the print magazine, as well as participates in special projects, podcasts and webinars and attends industry events. Russ joined SN from Racher Press Inc.’s Chain Drug Review and Mass Market Retailers magazines, where he served as desk/online editor for more than nine years, covering the food/drug/mass retail sector. 

Russell Redman’s more than 30 years of experience in journalism span a range of editorial manager, editor, reporter/writer and digital roles at a variety of publications and websites covering a breadth of industries, including retailing, pharmacy/health care, IT, digital home, financial technology, financial services, real estate/commercial property, pro audio/video and film. He started his career in 1989 as a local news reporter and editor, covering community news and politics in Long Island, N.Y. His background also includes an earlier stint at Supermarket News as center store editor and then financial editor in the mid-1990s. Russ holds a B.A. in journalism (minor in political science) from Hofstra University, where he also earned a certificate in digital/social media marketing in November 2016.

Russell Redman’s experience:

Supermarket News - Informa
Senior Editor 
April 2018 - present

Chain Drug Review/Mass Market Retailers - Racher Press
Desk/Online Editor 
Sept. 2008 - March 2018

CRN magazine - CMP Media
Managing Editor
May 2000 - June 2007

Bank Systems & Technology - Miller Freeman
Executive Editor/Managing Editor
Dec. 1996 - May 2000

Supermarket News - Fairchild Publications
Financial Editor/Associate Editor
April 1995 - Dec. 1996 

Shopping Centers Today Magazine - ICSC 
Desk Editor/Assistant Editor
Dec. 1992 - April 1995

Testa Communications
Assistant Editor/Contributing Editor (Music & Sound Retailer, Post, Producer, Sound & Communications and DJ Times magazines)
Jan. 1991 - Dec. 1992 

American Banker/Bond Buyer
Copy Editor
Oct. 1990 - Jan. 1991 

This Week newspaper - Chanry Communications
Reporter/Editor
May 1989 - July 1990

Stay up-to-date on the latest food retail news and trends
Subscribe to free eNewsletters from Supermarket News

You May Also Like