Hy-Vee has announced additional information about the payment card incidents that happened at their gas stations, restaurants, and coffee shops that were first reported back in August.
After Hy-Vee officials detected unauthorized activities at their point-of-sale systems on July 29th, they notified a cybersecurity firm and the federal government of a potential data breach. The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants. The malware searched for track data that sometimes contained customer card information. The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general time frame beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. A list of the locations involved and specific time frames are available at this link. Customers who have been identified in the data breach will be receiving correspondence from the company on the next steps in their investigation.
Hy-Vee announced they did not find any data breach within their grocery stores during the investigation nor in transactions processed through online sales. Hy-Vee said they have implemented new security measures at all locations and are continuing to work with law enforcement to pinpoint just who and when the malware was placed on the company’s systems.
If you have any additional questions about the investigation, Hy-Vee has an open line dedicated to the investigation at 833-967-1091 Monday through Friday between the hours of 8:00 a.m. and 8:00 p.m.