Breach at Hy-Vee linked to sale of millions of stolen credit, debit cards

(Logo courtesy: Hy-Vee / MGN / Background image: Pexels)

Nearly 5.3 million stolen credit and debit cards from 35 states have hit the black market linked to compromised gas pumps, coffee shops, and restaurants operated by Hy-Vee, according to cyber security investigative blogger Brian Krebs.

Hy-Vee, a Des Moines based company, announced last week, it was investigating a data incident involving its payment processing systems that handle transactions at some of its drive-thru coffee shops, fuel pumps, and restaurants.

According to Krebs, card account records sold by Joker’s Stash, apparently stolen from Hy-Vee are being sold off between $17 to $35 apiece. Krebs reported the card data stolen from Hy-Vee is being sold under the code name “Solar Energy."

In a statement to Kreb Investigates, Hy-Vee spokesperson Tina Pothoff said, “We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”

In a statement last week, Hy-Vee said based on its preliminary investigation, officials believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics, and all other food service areas, as well as transactions processed through Aisles Online, are not involved.

Brian Krebs' original story can be found here.