Mid-Western supermarket chain Hy-Vee issued an update regarding the POS data breach it reported in August, including when it happened on the locations involved.
Hy-Vee said in an October 3 release that unauthorized access was detected on July 29, 2019 and focused on Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants at Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses, the Hy-Vee owned and operated Wahlburgers locations, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office. The dates these operations were impacted varied with general timeline beginning December 14, 2018, to July 29, 2019 for fuel pumps and from January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are also six unspecified locations where the malware may have been in place as early as November 9, 2018 and one location where the issue continued through August 2, 2019.
The company originally did not say what PII was involved, but now stated the malware tracked payment card details including the cardholder’s name, card number, expiration date and internal verification code. Not every POS system at the affected locations contained the malware nor did the malware scrape every payment card as it was run through the system. So in some instances a payment card could have been used at an infected location yet not be compromised, the company said. The exact number of people affected was not released.
“Payment card transactions were not involved at our front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online,” Hy-Vee said.
The malware was removed and the company has instituted a higher level of cybersecurity.
The company has provided a location lookup tool for customers to check to see if their local facility was involved in the incident.