WEST DES MOINES, Iowa – Hy-Vee has released more details about the company's debit card breach and offered customers the next step for what to do.
The company first reported the incident August. 14. According to a statement released Thursday, Hy-Vee saw unauthorized activity on some of its payment processing systems on July 29. It started investigating the activity immediately with the help of online businesses. Federal authorities and payment card networks were also notified.
The investigation revealed that malicious software was designed to retrieve debit card data from cards used on certain fuel pumps, drive-through coffee shops and restaurants.
The release said payment card transactions on the cash registers in front, within convenience stores, pharmacies, customer service counters, wine and liquor locations, flower shops and clinics were not affected.
The malicious software looks for track data, which sometimes has the cardholder's name, card number, expiration date and security code. At some of these sites, malware took data from certain devices instead of all. There were no indications that other customer information was available.
The general timeframe for accessing the data ranges from December 14 to July 29 for fuel pumps and January 15 to July 29 for restaurants and coffee makers running through.
malware has since been removed, and the company has taken improved security measures.
Go to www.hy-vee.com/paymentcardincident for specific locations and time frames. In addition to having information about the event, the site also lists the next steps customers can take.
Hy-Vee will send out e-mails and letters to customers identified as having used their cards at a location involved in the store's specific timeframe.
Get weather forecasts from people who actually live in your community. We update with short, easy-to-use video forecasts you can watch on your phone every day. Download the iOS or Android app here.