Report: Compromised cards from Hy-Vee data breach for sale online

(Logo courtesy: Hy-Vee / MGN / Background image: Pexels)
By  | 

CEDAR RAPIDS, Iowa (KCRG) - A batch of millions of credit and debit cards that are being sold online are attributed to information stolen in a data breach at certain Hy-Vee payment terminals, according to a report from an internet security researcher.

KrebsOnSecurity, a website run by technological security writer Brian Krebs, published a story on Thursday claiming that 5.3 million credit and debit accounts from a total of 35 states that showed up on a website known for selling stolen card data was actually from Hy-Vee stores.

Krebs based his report on two anonymous sources, including one from a major financial institution.

On August 14, 2019, Hy-Vee, Inc. disclosed that it had detected unusual activity in its payment processing systems. The store said that transactions on gas pumps at Hy-Vee Gas stations, drive-thru coffee shops, and their store-operated restaurants such as Market Grille, Market Grille Express, and certain Wahlbergers locations were potentially affected.

Hy-Vee said that transactions at its main grocery stores, drugstore locations, or purchases made inside of Hy-Vee Gas locations rather than at the pump, were not affected by the data breach. The company also claimed it had fixed the problem but was still working with investigators and law enforcement on the issue.

Hy-Vee has not issued any other public statements on the issue since its initial disclosure August 14. The company sent the following statement to Des Moines-based television station KCCI: "We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts."

Krebs said that information from the set of cards was selling for between $17 to $35 each.

Hy-Vee recommends customers who are concerned to closely monitor their card statements and balances for unauthorized activity. If a customer notices something unexpected, they should contact their financial institution.