SEVERE WX : Winter Weather Advisory View Alerts

Hy-Vee in Mason City, Albert Lea, Austin, Rochester affected by credit/debit card hack

Company says it has removed malware and enhanced security.

Posted: Oct 3, 2019 4:08 PM
Updated: Oct 3, 2019 7:51 PM

WEST DES MOINES, Iowa – Hy-Vee is updating customers on its investigation into stolen credit and debit card information.

The Des Moines Register was the first to report that credit and debit card information of some Hy-Vee customers is being sold on an internet site for $17 to $35 apiece and the grocery store chain said it was connected to card payments at Hy-Vee restaurants, fuel pumps and drive-thru coffee shops.

On Thursday, the company said the illegal activity began as early as November 9, 2018, and may have continued through August 2, 2019.  It affected the following locations in the KIMT viewing area:

Pay At The Pump at the Hy-Vee gas stations in Mason City, Albert Lea, Austin, and in Rochester at 3rd Avenue NW and West Circle Drive. Between December 14, 2018, and July 29, 2019.

Market Grille locations in Austin and in Rochester at 37th Street NW and West Circle Drive between January 15 and July 29, 2019.

Hy-Vee issued the following statement to the public on what its investigation uncovered and what actions were taken by the company:

“After detecting unauthorized activity on some of our payment processing systems on July 29, 2019, we immediately began an investigation and leading cybersecurity firms were engaged to assist. We also notified federal law enforcement and the payment card networks.”

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include our Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office). The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the POS device. However, for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.”

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019, for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

“A list of the locations involved and specific timeframes is available at www.hy-vee.com/paymentcardincident. The site also provides information about the incident and additional steps customers may take. For those customers Hy-Vee can identify as having used their card at a location involved during that location's specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.”

“Payment card transactions were not involved at our front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.”

“During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”

“It is always advisable for customers to review their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card.”

Minnesota Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 129863

Reported Deaths: 2367
CountyConfirmedDeaths
Hennepin33310981
Ramsey13782357
Dakota9541137
Anoka8414150
Stearns566541
Washington546970
Scott329334
Olmsted318330
St. Louis285065
Wright236714
Nobles221916
Clay221443
Blue Earth20207
Carver17437
Kandiyohi16505
Sherburne163421
Rice16059
Mower150315
Winona123618
Crow Wing98021
Lyon9516
Chisago9502
Waseca9229
Benton9107
Beltrami8717
Otter Tail8187
Todd7695
Steele7413
Nicollet71417
Itasca70617
Morrison6948
Freeborn6594
Douglas6473
Le Sueur6145
Martin60616
Polk5964
McLeod5804
Watonwan5764
Goodhue55811
Becker5383
Pine5230
Isanti5195
Chippewa4243
Carlton4111
Mille Lacs38714
Dodge3860
Hubbard3692
Wabasha3590
Cass3575
Pipestone34217
Meeker3223
Brown3163
Rock3154
Yellow Medicine2755
Cottonwood2720
Murray2723
Redwood26911
Fillmore2500
Renville24311
Sibley2433
Roseau2280
Faribault2210
Wadena2153
Unassigned21153
Jackson2071
Houston1951
Kanabec19510
Swift1941
Stevens1771
Lincoln1760
Pennington1741
Aitkin1652
Koochiching1654
Pope1540
Big Stone1320
Lac qui Parle1313
Wilkin1294
Lake1150
Norman1080
Mahnomen1062
Marshall1031
Clearwater1010
Grant924
Red Lake692
Traverse540
Lake of the Woods441
Kittson380
Cook120

Iowa Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 112754

Reported Deaths: 1615
CountyConfirmedDeaths
Polk18617286
Woodbury704194
Johnson576330
Black Hawk544098
Linn5342129
Dubuque501657
Scott433738
Story394418
Dallas339744
Pottawattamie314844
Sioux236416
Buena Vista224112
Marshall198336
Webster180715
Plymouth161927
Wapello150562
Clinton143026
Muscatine140758
Crawford134414
Des Moines133610
Cerro Gordo131425
Warren12037
Carroll109912
Jasper107034
Henry10325
Marion96310
Lee93110
Tama92737
Delaware74212
Dickinson7217
Wright7101
Boone7039
Mahaska67024
Bremer6559
Harrison63711
Washington63411
Jackson5763
Benton5532
Lyon5337
Clay5144
Louisa51215
Winnebago46619
Hamilton4624
Hardin4606
Winneshiek4609
Kossuth4510
Poweshiek44711
Cedar4375
Buchanan4314
Jones4284
Floyd42511
Emmet42017
Clayton3933
Iowa3918
Cherokee3882
Page3860
Sac3854
Guthrie38015
Franklin37818
Cass3712
Mills3711
Shelby3621
Fayette3604
Butler3592
Madison3533
Allamakee3518
Chickasaw3411
Clarke3393
Humboldt3163
Palo Alto3082
Hancock3064
Grundy2925
Calhoun2904
Osceola2660
Howard2629
Monroe25811
Mitchell2430
Monona2361
Jefferson2311
Taylor2312
Union2234
Appanoose2203
Pocahontas2192
Lucas1986
Fremont1941
Ida1872
Greene1830
Van Buren1672
Davis1654
Montgomery1647
Keokuk1561
Adair1521
Decatur1480
Audubon1411
Worth1370
Wayne1163
Ringgold882
Adams740
Unassigned80
Rochester
Overcast
28° wxIcon
Hi: 31° Lo: 24°
Feels Like: 22°
Mason City
Overcast
30° wxIcon
Hi: 35° Lo: 26°
Feels Like: 21°
Albert Lea
Overcast
28° wxIcon
Hi: 30° Lo: 25°
Feels Like: 19°
Austin
Scattered Clouds
30° wxIcon
Hi: 32° Lo: 25°
Feels Like: 23°
Charles City
Overcast
32° wxIcon
Hi: 37° Lo: 27°
Feels Like: 24°
Another Round of Snow
KIMT Radar
KIMT Eye in the sky

Latest Video

Image

Saturday Weather

Image

Rochester considers new downtown library complex

Image

Rochester Public Works Proposes Speed Limit Reduction

Image

Sports Overtime part two

Image

Sports Overtime part one

Image

Sara's 10pm Forecast - Friday

Image

Outdoor dining is on the rise and grant funding is helping

Image

Preventing self storage thefts

Image

Big plans for a new library building in Rochester

Image

Rochester Public Works proposed speed limit reduction

Community Events