Albert Lea’s Hy-Vee gas affected in recent data breach
Published 6:26 pm Thursday, October 3, 2019
Albert Lea’s Hy-Vee gas station was among those affected by the Hy-Vee payment card data breach first reported last month, according to new information provided Thursday by the company.
Hy-Vee stated customers who paid at the pump at the Albert Lea location between Dec. 14 and July 29 could have been a part of the breach.
Customers at the Market Grille and at the Hy-Vee gas station in Austin were also impacted.
Hy-Vee stated in a news release the company first detected unauthorized activity on some of its payment processing systems on July 29 and immediately began an investigation. Cybersecurity firms were called in to assist, and federal law enforcement and payment card networks were also notified.
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.
The malware searched for track data — which sometimes has the cardholder name in addition to card number, expiration date and internal verification code — read from a payment card as it was being routed through the point-of-sale device. However, for some locations, the malware was not present on all point-of-sale devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.
Transactions at front-end checkout lanes or inside convenience stores at pharmacies, floral departments, clinics or the customer service stations were not affected.
The malware was removed, and enhanced security measures were implemented.
Customers are advised to review their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.
To view the list of locations affected, along with timelines affected, visit www.hy-vee.com/paymentcardincident.