Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Iowa Grocery Chain Investigating Possible Hack of Payment Processing Systems

A West Des Moines, Iowa-based grocery chain that also operates restaurants, fuel-pumps and drive-thru coffee shops is warning its customers about a security incident involving some of its payment card systems. 

A West Des Moines, Iowa-based grocery chain that also operates restaurants, fuel-pumps and drive-thru coffee shops is warning its customers about a security incident involving some of its payment card systems. 

In a notice posted to its website on August 14, 2019, Hy-Vee warned that it had detected unauthorized activity on some of its payment processing systems. It believes that actions since taken has stopped this activity.

The problem is focused on the restaurants, fuel-pumps and drive-thru coffee shops. Payment systems in its grocery stores, drugstores and convenience stores use point-to-point encryption systems are not believed to be involved.

There are no details on the type of attack, although it has been reported to law enforcement. Outside security firms have been engaged to help Hy-Vee’s investigation. “Because the investigation is in its earliest stages,” stated Hy-Vee, “we do not have any additional details to provide at this time. We will provide notification to our customers as we get further clarity about the specific timeframes and locations that may have been involved.”

Since Hy-Vee talks about ‘locations that may have been involved’, the implication is that the attack is against individual card readers rather than the back-end systems handling all the devices (as with Magecart). This suggests local card skimming through a planted skimming device rather than systems hacking. 

“Given the location for the attack point includes pay-at-the-pump point of sale terminals and drive thru facilities,” comments Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, “the threat model for such locations will include the ability for someone to physically tamper with the terminal itself. A perfect example of such tampering would be skimming devices attached to the card reader.”

He advises, “Anyone using such terminals, regardless of location, should look for any signs of tampering prior to using a self-service terminal and if in doubt, both complete their transaction at a staffed terminal and inform a staff member of your concerns. Lastly, as Hy-Vee indicate in their statement, reviewing credit and debit card statements for unexpected transactions is always a prudent action.”  

Hy-Vee suggests that any abnormal account activity be reported to the card issuer as quickly as possible, “because cardholders are not generally responsible for unauthorized charges reported in a timely manner.”

Advertisement. Scroll to continue reading.

Hy-Vee operates more than 240 retail stores in eight Midwestern states: Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Related: Four Arrested for ATM Skimming, Payment Card Fraud 

Related: Authorities Disrupt International Payment Card Fraud Operation 

Related: Two Women Get a Slap On The Wrist for Credit Card Skimming 

Related: Safely Using Credit Cards – NOT Just for the Holidays

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.