A West Des Moines, Iowa-based grocery chain that also operates restaurants, fuel-pumps and drive-thru coffee shops is warning its customers about a security incident involving some of its payment card systems.
In a notice posted to its website on August 14, 2019, Hy-Vee warned that it had detected unauthorized activity on some of its payment processing systems. It believes that actions since taken has stopped this activity.
The problem is focused on the restaurants, fuel-pumps and drive-thru coffee shops. Payment systems in its grocery stores, drugstores and convenience stores use point-to-point encryption systems are not believed to be involved.
There are no details on the type of attack, although it has been reported to law enforcement. Outside security firms have been engaged to help Hy-Vee’s investigation. “Because the investigation is in its earliest stages,” stated Hy-Vee, “we do not have any additional details to provide at this time. We will provide notification to our customers as we get further clarity about the specific timeframes and locations that may have been involved.”
Since Hy-Vee talks about ‘locations that may have been involved’, the implication is that the attack is against individual card readers rather than the back-end systems handling all the devices (as with Magecart). This suggests local card skimming through a planted skimming device rather than systems hacking.
“Given the location for the attack point includes pay-at-the-pump point of sale terminals and drive thru facilities,” comments Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, “the threat model for such locations will include the ability for someone to physically tamper with the terminal itself. A perfect example of such tampering would be skimming devices attached to the card reader.”
He advises, “Anyone using such terminals, regardless of location, should look for any signs of tampering prior to using a self-service terminal and if in doubt, both complete their transaction at a staffed terminal and inform a staff member of your concerns. Lastly, as Hy-Vee indicate in their statement, reviewing credit and debit card statements for unexpected transactions is always a prudent action.”
Hy-Vee suggests that any abnormal account activity be reported to the card issuer as quickly as possible, “because cardholders are not generally responsible for unauthorized charges reported in a timely manner.”
Hy-Vee operates more than 240 retail stores in eight Midwestern states: Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.