Hy-Vee releases findings from investigation into data breach
Hy-Vee on Thursday provided more information about the payment card data breach incident the grocery chain reported in August.
Hy-Vee said in a statement that unauthorized activity on some of its payment systems was detected on July 29, and the investigation began shortly after. That investigation discovered malware was used to access payment card data from cards used on point-of-sale (POS) devices at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants.
The timeframes when the data from cards used at the affected locations may have been accessed range from December 14, 2018 to July 29, 2019 for fuel pumps, and January 15, 2019 to July 29, 2019 for restaurants and drive-thru coffee shops, according to the statement.
A list of locations involved and more specific timeframes is available at www.hy-vee.com/paymentcardincident. The site also has information and steps for customers to take who may be affected. Hy-Vee said it will be mailing letters or sending an email to all customers identified as having used their card at a location involved during that location’s specific timeframe (so long as the company has a mailing or email address for that person).
The statement said payment card transactions were not involved at the company’s front-end checkout lanes, inside convenience stores, pharmacies, customer service counters, wine & spirit locations, floral departments, clinics and all other food service areas.
Hy-Vee said it has removed the malware and added enhanced security measures.