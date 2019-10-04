Customer information may have been breached at gas pumps and cafes in 14 Hy-Vee locations in the metro area from November 2018 through July of this year.
The West Des Moines, Iowa-based grocery chain released more information Thursday about credit and debit card data that may have been stolen by malware attached to card readers.
Locations in multiple states were affected over the course of several months, including gas pumps and in-store restaurants at 11 Omaha locations, two in Council Bluffs and one in Papillion. Locations also affected were in Lincoln, Kearney, Grand Island, Columbus, Fremont and Plattsmouth.
The retailer said an investigation, which involved outside cybersecurity firms, confirmed that the card readers at certain Hy-Vee gas pumps, drive-thru coffee shops and in-store restaurants like Market Grille and Wahlburgers were compromised.
The data breach is not believed to have affected cards used at front checkout lanes, convenience stores and pharmacies, customer service counters, liquor stores, floral departments, clinics and other food-service areas, which have more sophisticated encryption security systems, Hy-Vee said in Thursday’s statement.
Hy-Vee learned of the breach in July and reported it in August. The malware attached to certain card readers copied data like the cardholder’s name, card number, expiration date and verification code. Not all cards were copied.
Hy-Vee will mail or email letters to customers the company knows were affected and whose contact information is on file.
“During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data,” the statement from Hy-Vee said.
“In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
