Hy-Vee’s Investigation Identified The Operation of Malware Designed to Access Payment Card Data – Kehoe Law Firm, P.C. Investigating Potential Claims on Behalf of Victims of Hy-Vee’s Data Breach. 

On October 3, 2019, Hy-Vee reported findings from the investigation of the payment card data incident reported by Hy-Vee in August 2019.  According to Hy-Vee’s announcement:

After detecting unauthorized activity on some of [Hy-Vee’s] payment processing systems on July 29, 2019, [Hy-Vee] immediately began an investigation and leading cybersecurity firms were engaged to assist. [Hy-Vee] also notified federal law enforcement and the payment card networks.

The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include [Hy-Vee’s] Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office). The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the POS device. However, for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.

The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019. A list of the locations involved and specific timeframes are available below. For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.

Payment card transactions were not involved at [Hy-Vee’s] front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.

During the investigation, [Hy-Vee] removed the malware and implemented enhanced security measures, and [Hy-Vee] continue[s] to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, [Hy-Vee] continue[s] to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring. [Emphasis added.]

Hy-Vee’s announcement contains a “Location Look Up Tool,” where individuals can determine the “specific Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants [which] were identified during [Hy-Vee’s] investigation as well as the specific time frames.”  Hy-Vee also stated that not all of its locations were involved in the data incident, as well as that the data incident did not affect payment card systems inside of its convenience stores/gas stations.

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.