Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Iowa Grocery Chain Investigating Possible Hack of Payment Processing Systems

A West Des Moines, Iowa-based grocery chain that also operates restaurants, fuel-pumps and drive-thru coffee shops is warning its customers about a security incident involving some of its payment card systems. 

A West Des Moines, Iowa-based grocery chain that also operates restaurants, fuel-pumps and drive-thru coffee shops is warning its customers about a security incident involving some of its payment card systems. 

In a notice posted to its website on August 14, 2019, Hy-Vee warned that it had detected unauthorized activity on some of its payment processing systems. It believes that actions since taken has stopped this activity.

The problem is focused on the restaurants, fuel-pumps and drive-thru coffee shops. Payment systems in its grocery stores, drugstores and convenience stores use point-to-point encryption systems are not believed to be involved.

There are no details on the type of attack, although it has been reported to law enforcement. Outside security firms have been engaged to help Hy-Vee’s investigation. “Because the investigation is in its earliest stages,” stated Hy-Vee, “we do not have any additional details to provide at this time. We will provide notification to our customers as we get further clarity about the specific timeframes and locations that may have been involved.”

Since Hy-Vee talks about ‘locations that may have been involved’, the implication is that the attack is against individual card readers rather than the back-end systems handling all the devices (as with Magecart). This suggests local card skimming through a planted skimming device rather than systems hacking. 

“Given the location for the attack point includes pay-at-the-pump point of sale terminals and drive thru facilities,” comments Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, “the threat model for such locations will include the ability for someone to physically tamper with the terminal itself. A perfect example of such tampering would be skimming devices attached to the card reader.”

He advises, “Anyone using such terminals, regardless of location, should look for any signs of tampering prior to using a self-service terminal and if in doubt, both complete their transaction at a staffed terminal and inform a staff member of your concerns. Lastly, as Hy-Vee indicate in their statement, reviewing credit and debit card statements for unexpected transactions is always a prudent action.”  

Hy-Vee suggests that any abnormal account activity be reported to the card issuer as quickly as possible, “because cardholders are not generally responsible for unauthorized charges reported in a timely manner.”

Hy-Vee operates more than 240 retail stores in eight Midwestern states: Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Related: Four Arrested for ATM Skimming, Payment Card Fraud 

Related: Authorities Disrupt International Payment Card Fraud Operation 

Related: Two Women Get a Slap On The Wrist for Credit Card Skimming 

Related: Safely Using Credit Cards – NOT Just for the Holidays

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...