Stolen credit, debit card accounts for sale on black market may be linked to Hy-Vee data breach

Credit and debit card accounts linked to a data breach at select Hy-Vee locations may be the source of data from 5.3 million accounts being offered for sale online, information security investigator Brian Krebs has reported.

Two anonymous sources, including one at an unidentified major U.S. financial institution, told Krebs that information stolen from accounts linked to the Hy-Vee breach is being sold under the code name "Solar Energy" at "Joker's Stash carding bazaar," a website where stolen credit and debit card data is resold.

Hy-Vee notified consumers on Aug. 14 that it was investigating a possible data breach in some of its payment processing systems, specifically card transactions at fuel pumps, drive-through coffee shops and its Market Grille, Market Grille Express and Wahlburgers restaurants that Hy-Vee owns and operates.

Hy-Vee spokeswoman Tina Potthoff told Krebs this week that Hy-Vee was aware of reports from payment processors and card networks that payment data was being sold on the dark web.

But Potthoff on Friday questioned some of the claims linking Hy-Vee to the availability of stolen data from millions of accounts.

"The dark web was advertising data being sold from cards from 35 states and more than 100 countries," Potthoff said. "Hy-Vee has stores in eight states in one country."

Potthoff said Hy-Vee has been in contact with card payment companies and is conducting an ongoing investigation. However, she said Hy-Vee hasn't found a way to independently determine how much of the data from the breach it is investigating may be available on the dark web.

"It is possible some cards are from incidents that occurred at other merchants," she said.

Hy-Vee has not yet been able to pinpoint locations where security breaches occurred or a definitive timeline, Potthoff said.

"We are working as quickly as possible to complete our investigation so we can get additional information to our customers," she said.

Card account records are being sold for between $17 to $35 apiece on the Joker's Stash, according to Krebs.

In a statement released last week, Hy-Vee said payment systems at its satellite institutions weren't guarded with the same encryption technology as point-of-sale payment systems at Hy-Vee grocery stores, drugstores or convenience stores.

According to Lynn Hicks, spokesman for Attorney General Tom Miller, Hy-Vee has not reached out to the attorney general's office, which businesses are required by law to do if a data breach affects more than 500 customers.

The attorney general's office hasn't received any consumer complaints, nor can it confirm the number of customers affected, Hicks said.

What to do if you believe your data may have been compromised

The A.G.'s office advises consumers who believe their information may have been compromised in these breaches to do the following:

• Monitor your credit card and bank accounts.
• Place a security freeze on your credit report (Equifax, Experian and TransUnion) to stop fraudulent accounts from being opened by an identity thief. A security freeze prevents potential creditors and other third parties from accessing credit reports without your approval.
• Place a temporary (90-day) "fraud victim alert" on each of your credit reports by calling any one of the credit agencies Equifax, Experian and TransUnion.

Aaron Calvin covers trending news for the Register. Reach him at acalvin@registermedia.com or 515-556-9097.

Your subscription makes work like this possible. Subscribe today at DesMoinesRegister.com/Deal.