The Rippleshot Data Breach Blog

What Financial Institutions Should Know About the Hy-Vee Data Breach

Written by Anna Kragie | Aug 23, 2019 3:36:06 PM

The details about the Hy-Vee data breach reported this week show the long-lasting impact to cardholders: The possible sale of lots of credit card data on the dark web. According to Krebs on Security latest report, information has made its way into a popular carding forum indicating card data is being sold on the dark web.

The supermarket chain issued a warning to customers on August 14 revealing that a data breach had occurred at point-of-sale systems used by the firm's fuel pumps, coffee shops, and restaurants including Market Grilles, Market Grille Expresses, and Wahlburgers. The grocery store terminals itself are not believed to be impacted.

According to Krebs On Security, the breach is tied to the sale of 5.3 million new accounts from cardholders in 35 states.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts," Hy-Vee spokesperson Tina Pothoff told Krebs.

Hy-Vee operates in the Midwest in Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Here's a few key details about the breach:

  • It is not know yet how the breach occurred or how many cardholders are impacted.
  • Hy-Vee said they discovered unauthorized activity on some of its payment processing systems. 
  • The store hired a cybersecurity firm, notified federal law enforcement and payment card networks. 
  • The investigation is focused on card transactions at its fuel pumps, coffee shops, and restaurants 
  • The company uses point-to-point encryption for processing card transactions to protect customers.
  • Krebs' report cited two unnamed sources and said the data is being sold under the name "Solar Energy" in a data dump for between $17 and $35 each.

What Financial Institutions Should Do To Protect Themselves and Their Cardholders:

  • Educate cardholders about the incident and how to flag fraudulent charges.
  • Review data to determine if cardholders shopped at Hy-Vee.
  • Track the fallout of the breach to identify potential Incidents from stolen card data.
  • Inform cardholders about common fraud scams that occur with stolen credit card data.
  • Monitor potential fraud In real-time to get ahead of incidents before they spread.
  • Offer extra fraud/credit monitoring to proactively protect your customers.