[BreachExchange] Stolen credit, debit card accounts for sale on black market may be linked to Hy-Vee data breach

Destry Winant destry at riskbasedsecurity.com
Mon Aug 26 10:12:56 EDT 2019


Credit and debit card accounts linked to a data breach at select
Hy-Vee locations may be the source of data from 5.3 million accounts
being offered for sale online, information security investigator Brian
Krebs has reported.

Two anonymous sources, including one at an unidentified major U.S.
financial institution, told Krebs that information stolen from
accounts linked to the Hy-Vee breach is being sold under the code name
"Solar Energy" at "Joker's Stash carding bazaar," a website where
stolen credit and debit card data is resold.

Hy-Vee notified consumers on Aug. 14 that it was investigating a
possible data breach in some of its payment processing systems,
specifically card transactions at fuel pumps, drive-through coffee
shops and its Market Grille, Market Grille Express and Wahlburgers
restaurants that Hy-Vee owns and operates.

Hy-Vee spokeswoman Tina Potthoff told Krebs this week that Hy-Vee was
aware of reports from payment processors and card networks that
payment data was being sold on the dark web.

But Potthoff on Friday questioned some of the claims linking Hy-Vee to
the availability of stolen data from millions of accounts.

"The dark web was advertising data being sold from cards from 35
states and more than 100 countries," Potthoff said. "Hy-Vee has stores
in eight states in one country."

Potthoff said Hy-Vee has been in contact with card payment companies
and is conducting an ongoing investigation. However, she said Hy-Vee
hasn't found a way to independently determine how much of the data
from the breach it is investigating may be available on the dark web.

"It is possible some cards are from incidents that occurred at other
merchants," she said.

Hy-Vee has not yet been able to pinpoint locations where security
breaches occurred or a definitive timeline, Potthoff said.

"We are working as quickly as possible to complete our investigation
so we can get additional information to our customers," she said.

Card account records are being sold for between $17 to $35 apiece on
the Joker's Stash, according to Krebs.

In a statement released last week, Hy-Vee said payment systems at its
satellite institutions weren't guarded with the same encryption
technology as point-of-sale payment systems at Hy-Vee grocery stores,
drugstores or convenience stores.

According to Lynn Hicks, spokesman for Attorney General Tom Miller,
Hy-Vee has not reached out to the attorney general's office, which
businesses are required by law to do if a data breach affects more
than 500 customers.

The attorney general's office hasn't received any consumer complaints,
nor can it confirm the number of customers affected, Hicks said.

More information about the BreachExchange mailing list