DES MOINES, Iowa — After weeks of investigating, Hy-Vee revealed its credit card data incident impacted certain Hy-Vee fuel pumps, Market Grilles, and more.
After detecting unauthorized activity on some of its payment processing systems towards the end of July, Hy-Vee announced in August that it began an investigation and had cybersecurity firms assist. They also notified federal law enforcement and payment card networks.
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants, which include Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates.
The following were impacted locally:
- The Pay at the Pump at the 5421 W War Memorial Dr location was impacted between Dec. 14, 2018 and July 29
- The Market Grille at 7610 Orange Prairie Road was impacted from Jan. 15 to July 29
- The Pay at the Pump at the 1405 N Veterans Parkway location was impacted between Dec. 14, 2018 and July 29
- The Market Grille at 1403 N Veterans Parkway was impacted from Jan. 15 to July 29
- The Pay at the Pump at the 1925 Henderson St location was impacted between Dec. 14, 2018 and July 29
- The Pay at the Pump at the 2801 Plaza Dr location was impacted between Dec. 14, 2018 and July 15
- The Market Grille at 1651 Midtown Road was impacted from Jan. 15 to July 15
For some locations, Hy-Vee said, the malware was not present on all POS devices at the location, and the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device.
For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.
There is no indication that other customer information was accessed.
Payment card transactions were not involved at front-end checkout lanes, inside convenience stores, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics, and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.
A list of the locations involved and specific timeframes is available at www.hy-vee.com/paymentcardincident.