West Des Moines, Iowa — We now know more about the Hy-Vee data breach that was reported recently, and it did affect Sheldon — but only the card readers on the pay-at-the-pump gas pumps at the Hy-Vee convenience store.
Hy-Vee has provided additional information about the payment card incident that was first reported on August 14, 2019.
They say that after detecting unauthorized activity on some of their payment processing systems on July 29, 2019, Hy-Vee officials say they immediately began an investigation and leading cybersecurity firms were engaged to assist. They say they also notified federal law enforcement and the payment card networks.
According to Hy-Vee, “The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants. The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the POS device. However, for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.”
In our area, not only were the Sheldon pump card readers affected, but they were also affected at Hy-Vee’s convenience stores in Le Mars, Cherokee, Sioux City, Spencer, Worthington, and Sioux Falls. According to Hy-Vee’s list, no readers were affected at their Sioux Center location. The timeframes were all mid-December of last year through July of this year.
Additionally, transactions at the Sioux Falls Market Grille locations were also affected. Those dates were mid-January through the end of July.
A list of the locations involved and specific timeframes is available at www.hy-vee.com/paymentcardincident. The site also provides information about the incident and additional steps customers may take. For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.
Hy-Vee officials tell us that payment card transactions were not involved at Hy-Vee front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.
During the investigation, they tell us they removed the malware and implemented enhanced security measures, and they continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, Hy-Vee says they continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.
They remind you to always review your card statements for unauthorized transactions.
