US supermarket chain Hy-Vee probes possible payment card data breach

A smile in every aisle replaced by furrowed brow

UPDATED US supermarket chain Hy-Vee has admitted that a possible data breach may have exposed customer credit card information.

Concerns about transactions at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants has prompted an ongoing investigation into its payment processing systems, the company said on Wednesday.

The probe began after the retailer detected “unauthorized activity on some of our payment processing systems”.

The locations at the center of the security audit have different point-of-sale systems than those located at Hy-Vee’s grocery stores, drugstores, and inside its convenience stores, which are all said to utilize point-to-point encryption technology for processing payment card transactions.

Based on preliminary findings from the security audit, transactions made at Hy-Vee’s grocery and drug stores are not thought to be at risk.

The announcement puts customers who made transactions at Hy-Vee’s fuel pumps, drive-thru coffee shops, and restaurants on notice without confirming a problem.

Hy-Vee said: “Because the investigation is in its earliest stages, we do not have any additional details to provide at this time. We will provide notification to our customers as we get further clarity about the specific timeframes and locations that may have been involved.”

The supermarket chain advised customers to “closely monitor your payment card statements for any unauthorized activity”.

The Daily Swig contacted Hy-Vee to ask for an update on its ongoing investigation. No word, as yet, but we’ll update this story as more information comes to hand.

Around 5.3 million credit card details obtained from the breach of gas pumps, coffee shops and restaurants run by Hy-Vee has surfaced on the dark web, according to cybercrime sleuth Brian Krebs.

Hy-Vee is an employee-owned business that maintains more than 260 retail stores across eight Midwestern states, bringing in annual sales of around $10 billion.

This story was updated on August 27 to add a reference to the underground sale of credit card data linked to the breach.