Findings released in Hy-Vee payment card incident; 2 Austin locations reportedly affected by breach

Published 8:35 am Friday, October 4, 2019

Hy-Vee, Inc. has released more information regarding the payment card incident first reported in August.

According to a report released by the company, the incident, involving unauthorized activity on payment cards at point-of-sale (POS) devices, was first reported on Aug. 14 of this year. The activity was first noticed a couple weeks earlier on July 29.

Hy-Vee began investigating with cybersecurity firms to track the activity and also notified federal law enforcement.

Email newsletter signup

What the investigation found was malware that was designed to access payment card data from devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office).

The malware was designed to track data, which sometimes included the cardholder’s name as well as card number, expiration date and internal verification code as it was being routed through the POS device.

The report goes on to say that for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.

The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning Dec. 14, 2018 to July 29, 2019, for fuel pumps and beginning Jan.15, 2019 to July 29, 2019, for restaurants and drive-thru coffee shops.

There are six locations where access to card data may have started as early as Nov. 9, 2018, and one location where access to card data may have continued through Aug. 2, 2019.

In Austin, access to data was found to have occured at the Market Grille (Jan. 15-July 29, 2019) and pay at the pump at the Hy-Vee gas station.

Payment card transactions were not involved at our front-end checkout lanes, inside convenience stores, pharmacies, customer service counters, wine and spirits locations, floral departments, clinics, and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.

Hy-Vee has since removed the malware and implemented enhanced security measures, while continuing to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data.

In addition, Hy-Vee said it is continuing to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.

It is always advisable for customers to review their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card.

For more information

A list of the locations involved and specific timeframes is available at The site also provides information about the incident and additional steps customers may take. For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.

Austin locations affected

•Market Grille Jan. 15-July 29 2019

•Pay at the Pump, Dec. 14, 2018 to July 29, 2019