Hy-Vee data breach: Cedar Rapids, Iowa City area gas station list, restaurants affected

Hy-Vee has released the places the store chain has determined that it was affected by a network breach.

Investigators found malicious software had been operating, designed to search for track data – sometimes with cardholder names, card numbers, expiry dates and internal verification codes – when it was passed through vending machines, Hy-Vee said in a news release.

The merchant first announced Aug. 14 that the breach affected some of the fuel pumps, run-through coffee shops and restaurants, including Market Grilles, Market Grille Expresses and Wahlburgers locations, plus the cafeteria at the company's West Des Moines headquarters, excluding grocery stores, pharmacies or convenience stores, that uses encryption technology.

Precisely when card data may have been broken, and where, varied among Hy-Vee locations. At six locations, card data may have been opened as early as November 9, 201[ads1]8, and at a location as late as August 2.

Hy-Vee first discovered the unauthorized activity on July 29 and recruited cybersecurity companies to look into the breach.

The affected locations in the corridor include:

In Cedar Rapids

• Market Grille – 1843 Johnson Ave. NW (January 15-July 29)

• Pay at the Pump – 2300 Bowling St. (December 14-July 29)

In Coralville

• Market Grille – 1914 Eighth St. (15th) January) through July 16)

• Market Grille – 3285 Crosspark Rd. (January 15 through July 29)

• Pay at the Pump – 2025 Second St. (December 17-July 29)

In Iowa City

• Market Grille – 1720 Waterfront Drive (January 15-July 29)

• Market Grille – 812 South First Ave. (January 15 through July 1)

• Market Grille – 1125 N. Dodge St. (January 15-July 29)

• Pay at the Pump – 260 Stevens Drive (December 14 – 29) July] [19659020] • Pay at the Pump – 1103 N. Dodge St. (December 14 to July 29)

In Marion

• Pay at the Pump – 3550 Highway 151 E. (December 14 to 29) July).

The malicious software was not present at all points of sale in some locations and does not appear to have copied data from all debit cards used while active on a given device, Hy-Vee said.

Other customer information is not believed to have been opened.

Hy-Vee said it removed malicious software, improved security measures, and continued to consult cybersecurity experts on how to further strengthen the protection of credit card data.

The Western Des Moines-based reseller cooperates with law enforcement investigations and works with payment card networks so that bank issuance can continue to increase account control.

Self-proclaimed "hacking merchants" when surveying bazaar Joker & # 39; s Stash allegedly listed Hy-Vee account data for online sales, with "dumping" priced from $ 17 to $ 35 apiece, the former Washington Post data security journalist reported Brian Krebs on his Krebs on Security blog in August.

Krebs cited two named sources, including one at a major US financial institution.

In an email Friday, Hy-Vee spokeswoman Tina Potthoff said law enforcement is aware of the reported digital listing, adding, "We allow the authorities to handle any investigation of information that may be on the dark web. "

Hy-Vee does not have sufficient information to determine the names and addresses of all customers who used cards in stores involved in the breach, nor can I identify how many Iowa residents used a card during the the time frame, the company said in a mandatory letter of warning it sent the state attorney's office Thursday.

Customers for whom Hy-Vee has contact information, however, will receive either a postal letter or email if the merchant finds that they used cards at breach sites, the company says.

Hy-Vee created a tool for customers to apply if a specific store was affected, and how, at hy-vee.com/paymentcardincident.

Comments: (319) 398-8366; thomas.friestad@thegazette.com