Hy-Vee data breach may have exposed more than 5 million cardholder accounts

A recently acknowledged security incident at supermarket retailer Hy-Vee Inc. is reportedly tied to the sale of stolen credit and debit cards.

On Aug. 14, Hy-Vee posted a notice on its corporate website that it is investigating a “security incident” which occurred at some of its fuel pumps, drive-thru coffee shops, and restaurants. Based in Iowa, Hy-Vee operates more than 260 supermarket, drugstore, and convenience store locations across eight states in the Midwest.

These locations, which include Market Grilles, Market Grille Expresses and Wahlburgers locations that Hy-Vee owns and operates, have different POS systems than those used at Hy-Vee grocery stores, drugstores and convenience stores. According to Hy-Vee, the encryption technology used inside its stores protects customer payment card data by making it unreadable.

“Because the investigation is in its earliest stages, we do not have any additional details to provide at this time,” Hy-Vee said in the online statement. “We will provide notification to our customers as we get further clarity about the specific timeframes and locations that may have been involved.”

However, the security blog KrebsonSecurity is reporting that as of Tuesday, Aug. 20, a popular underground site that sells stolen credit and debit card data placed more than 5.3 million new accounts belonging to cardholders from 35 U.S. states up for sale. Anonymous sources told KrebsonSecurity that the card data is being illegally sold under the code name “Solar Energy” on a stolen card site known as “Joker’s Stash.”

Aaron Branson, VP at managed network connectivity, security and compliance solutions provider Netsurion, said this incident reveals new methods hackers are using to gain access to consumer payment card data.

“The Hy-Vee data breach is further evidence that hackers targeting credit card data are shifting tactics,” said Branson. “As others have noted, they are moving downstream from big box retailers to smaller, more plentiful, and probably less secure merchants. And with that, they are also changing tactics to be more lucrative and efficient by attacking POS system vendors who serve many such retailers. In the case of Hy-Vee, locations of various types and brands were breached, but they all may have used a specific POS system. To protect against this new approach, POS system vendors and integrators would be wise to embed greater security like endpoint threat detection and response to monitor anomalous activity on these critical systems.”