Hy-Vee has put out an update on its investigation into a payment card data breach first revealed in August
Following a payment card incident first reported in August, Hy-Vee Inc. has issued an update as to the steps it took as part of an investigation into the matter, including the implementation of improved security measures.
The grocer also noted the exact nature of the data breach in its update.
“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include our Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at Hy-Vee’s West Des Moines [Iowa] corporate office),” the company said. “The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date and internal verification code) read from a payment card as it was being routed through the POS device. However, for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.”
Over the course of the investigation, Hy-Vee noted that it has “removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
Hy-Vee also revealed the periods when data from cards used at the targeted locations may have been accessed: Dec. 14, 2018, to July 29, 2019, for the fuel pumps and Jan. 15, 2019, to July 29, 2019, for the restaurants and drive-thru coffee shops. “There are six locations where access to card data may have started as early as Nov. 9, 2018, and one location where access to card data may have continued through Aug. 2, 2019,” the company admitted, however, adding, “For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.”
A list of the locations involved and specific timeframes is available online.
The grocer additionally made sure to remind customers to review their payment card statements for any unauthorized activity, and that they should promptly report any unauthorized charges to their card issuer.
Employee-owned Hy-Vee operates more than 260 retail stores across eight Midwestern states.The company is No. 12 on Progressive Grocer’s 2019 Super 50 list of the top grocers in the United States.