Mid-Western supermarket chain Hy-Vee issued an update regarding the POS data breach it reported in August, including when it happened on the locations involved.
Hy-Vee said in an October 3 release that unauthorized access was detected on July 29, 2019 and focused on Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants at Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses, the Hy-Vee owned and operated Wahlburgers locations, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office. The dates these operations were impacted varied with general timeline beginning December 14, 2018, to July 29, 2019 for fuel pumps and from January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are also six unspecified locations where the malware may have been in place as early as November 9, 2018 and one location where the issue continued through August 2, 2019.
The company
originally did not say what PII was involved, but now stated the malware
tracked payment card details including the cardholder’s name, card number,
expiration date and internal verification code. Not every POS system at the
affected locations contained the malware nor did the malware scrape every
payment card as it was run through the system. So in some instances a payment
card could have been used at an infected location yet not be compromised, the
company said. The exact number of people affected was not released.
“Payment card transactions were not involved at our
front-end checkout lanes; inside convenience stores; pharmacies; customer
service counters; wine & spirits locations; floral departments; clinics;
and all other food service areas which utilize point-to-point encryption
technology, as well as transactions processed through Aisles Online,” Hy-Vee
said.
The malware was removed and the company has instituted a
higher level of cybersecurity.
The company has provided a location lookup tool for customers to
check to see if their local facility was involved in the incident.