August 22, 2019

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.

Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.

The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.

“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.

An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.

Hy-Vee said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.

The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.


82 thoughts on “Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

  1. Jed

    I Think joker stash is most famous name in the carding world, big Hero for the carders big guy I guess joker have massive ammount of fans and followrs..
    Joker is like a real influencer, many Young People look at joker with big respect
    I guess His famous like Satoshi

  2. Louis Leahy

    As long as institutions continue to rely on device based validation for transactions on wide area networks these compromises are going to continue.

    1. TD

      This is inaccurate.

      Chip cards have largely solved this problem for card-present transactions with asymmetric cryptography (the data may be stolen, but it cannot be used to authorize subsequent transactions). Additionally, point-to-point encryption leveraged on many modern card readers encrypts card data before it is passed to the point of sale system which, again, renders the data useless. Merchants with current payment processing hardware have significantly reduced risk of data compromise and, in this circumstance, the liability has shifted to the issuer.

      1. Catwhisperer

        TD, but doesn’t that depend on where the malware resides in the path of the credit card data. Wouldn’t it be better to encrypt from the card chip itself, rather than anywhere past that in the transaction path.

        1. Rich

          Agree with TD. Point 2 Point encryption P2PE ensures that card data is encrypted immediately on swipe or dip using lab-tested hardware/firmware. These components are similar to encrypting PIN pad technologies which have been used for the last 20 years. Couple this with advances in anti-tampering technologies (also lab tested) ensures devices used at the point of interaction securely encrypt data. The Target breach demonstrated the effectiveness of this encryption as the hackers were unable to decrypt the PINs (PAN was in the clear). With all this said, skimmers, overlays, shims, and membranes are still effective which is why merchants are required to inspect terminals. P2PE has also been slow to roll out to the gas pump as I understand it.

  3. The Sunshine State

    How does the code name “Solar Energy” equate to the “Hy-Vee” Confused ?

    1. Slapping my forehead

      Uh, read the article… The data stolen from “Hy-Vee” is being sold on “Joker’s Stash” in a bundle named “Solar Energy”. Some people’s kids…

    2. BrianKrebs Post author

      The base name has no bearing on the victim company, it’s just something catchy that lends itself to a nice graphic, AFAICT.

  4. Micah

    Do you know what malicious software type they installed?

    1. BrianKrebs Post author

      We don’t even know when the breach began or ended at this point. How would we know the malware used?

    1. KFritz

      According to eMarketer, courtesy of the blog “Wolf Street,” HD is the #5 online retailer in the US, well ahead of its nearest competition in the construction business.

    2. andhol

      he Home Depot Inc. or Home Depot is the largest home improvement retailer in the United States, supplying tools, construction products, and services

  5. Dave

    Someone correct me if I am wrong. I thought Credit Cards were insured and the card-holder is not responsible for fraudelent transactions, but I thought Debit Cards were a different matter (not insured; cardholder responsible).

    Until I got to this statement, I just assumed the malware read the card strips in real-time from memory before it could be encrypted for point-to-point encryption.

    “These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,”

    Does that mean these other locations that got breached do not have encryption in place? How old are the systems? Doesn’t PCI negligence come into play here?

    I guess maybe we need to find out more before answering those questions.

    1. Brad

      There are two pieces of equipment in play here. The credit card reader and the point-of-sale terminal (POS AKA cash register). If the card reader encrypts the info *before* it is sent to the terminal, then it is called point-to-point, meaning from one end point to the other. It can theoretically only be decrypted by the card processor. Register and retailer have no access to any of the data. And thus can’t be stolen. Thus the POS terminal and the retailers network are considered out-of-scope for PCI.
      OTOH, if the card reader sends the data to the terminal, the POS software then encrypts it before sending it to the card processor, and PCI is fully in play. This is when the thieves have an opportunity to install malware on the terminal to read memory and find data that looks like it might be card data. If it doesn’t get encrypted immediately on the POS, then they have even more opportunity. HTH

      1. Dave

        Excellent answer Brad. Two quick questions if you don’t mind: 1) Does being PCI compliant require encryption at the card readers, and 2) is this where the new CCs with the chip come into play? Does the chip provide the encryption at the reader whereas the magnetic strip does not?

        Thank you.

        1. LHW

          To answer Dave’s question 1, it is not at all unusual to be PCI-compliant without an instantly-encrypting card reader. One common type of card reader is a USB device that physically looks like a swipe slot, but to the host PC works in all ways exactly like a USB keyboard. It just types the track data in clear text. While this sounds like a disaster waiting to happen, using one of these for real transactions is not a PCI disqualification. It just means you have to exercise extra diligence in the rest of your setup to ensure that a. this portion of the data flow can’t be misused (which might mean physically locking down the reader and/or the USB port); b. card data is encrypted by another part of the system at some point before storage or transmission.

          If I understand Brad’s remarks right, if instead you had a reader that encrypts card data before it goes ANYWHERE, in a way that only the intended recipient processor can decrypt it, you would effectively cut all the other elements of your POS system out of the PCI-governed data flow. That would make PCI compliance and certification much, much easier.

      2. Dave

        Never mind Brad. A Google search revealed the answers for me. The chip is indeed, the encryption key, and why retailers are being asked to upgrade to the newer readers that accept the chip CCs. The retailers could go about upgrading faster though. Wonder if those breached locations were using out-dated readers?

        1. Orlando

          Yes and no, in LATAM the EMV chip manages some sort of encryption, but its also required to implement another layer of encryption, usually using DUKPT (for transaction changing keys).

          All card readers should implement point-to-point encryption.

          In Mexico we even have laws regarding this P2PEnc that if the the retailer does not have this controls in place, you can not process transactions.

        2. Bart

          The chip on the card has nothing to do with card data encryption; Chip technology is all about card (and card holder) validation.
          If the card readers (there are three – TAP, Swipe, Insert) encrypt the card data the name used depends on where it is being decrypted. Who can decrypt will depend on who’s keys are injected into the pin pad. E2EE is most often used if the card data can be decrypted by the merchant, P2PE if it happens outside the merchants control (gateway or acquirer)
          Some encryption techniques are better than other, they have there own standards. See PCI PTS – best level today is PCI PTS 5 ; which why there is pressure now to phase out all devices that are lower than this standard.

    2. Weylin

      Credit and debit cards are both covered under Federal Regulation E (please search and read). If my memory serves me right, both have requirements on time frame and an individual’s failure to report leads to what you can be liable for; and debit cards have a larger liability than a credit card if you don’t report timely. But if you report it right after it happens or when you receive your statement, then you shouldn’t liable for any amount. Now, financial institutions might try to have you eat the charge because any reimbursement by them might just be a loss on their books if there are not chargeback rights on the transaction(s) and/or their own plastic card insurance doesn’t cover the loss caused by the fraudulent charge(s).

      1. Jon Marcus

        For a credit card the presumption is no liability. The burden is on the issuer to prove that they notified you of misuse and you didn’t challenge it. And even then, liability is capped at $50.

        For a debit card, I believe that’s reversed. Burden is on you, and the $50 cap applies only if you report the loss within 2 days (very short timeframe!) . If it takes you longer than 2 days limit is $500. And if it takes you longer than 60 days, your liability is unlimited.

  6. James Miller

    If I understand the technology correctly all of this could have been prevented by chip based transactions which are by design one time codes rather than swiping the mag stripe which includes persistent data.

    When is this crap going to stop!

      1. Vog Bedrog

        That’s the final EMV mandate cutoff for unattended fuel pumps – all other US terminals are already on the wrong side of the mandate if they’re still accepting mag stripe reads. If these dumps really are used for purchases at big-box stores as Brian states, the transactions can be charged back – card-present be damned. The main risk to cardholders here is inconvenience, but merchants are risking losses.

  7. Ramx

    Stop neglecting security !!!
    These companies continue to under fund and reduce the priority on the security of those systems that are holding our data, over and over I see this with so many companies until they get breached and they realize , oops , after so damage is already done
    They are encouraging those bad actors to commit those crime due to their negligence

    We need laws that hold these corporations accountable and fine them severely for such negligence

    We, as customers, need to stop shopping at these outlets to send a clear message that enough is enough

    1. John J.

      I haven’t seen anything in the article that says the company was neglecting security. Having multiple POS systems that work differently is not uncommon.

      A company can do just about everything right and still be breached. Capital One’s breach apparently was able to be carried out because a device was misconfigured; there was no willful neglect or poor practices. Just an error.

      Don’t get me wrong; some companies definitely aren’t doing enough. Suprema should probably go out of business for their business practices considering they’re supposedly a security company (https://www.theregister.co.uk/2019/08/14/biostar_2_suprema_database_exposed_27m_records/).

      Companies that suffer a breach are often left wondering why. Many do what they’re supposed to, follow industry standards, implement frameworks, achieve compliance, have tools & budget, etc. but are still breached. Customer suffering follows.

      The core problem is that our people and systems are not, and may never be, perfect. Attackers only need to find one flaw to potentially succeed while defenders need to protect against every possible threat; i.e. be practically perfect. It’s really not a sustainable model.

  8. Belli H

    Every time I think Mr. Krebs might be ‘over-exaggerating’ this POS (retail, gas stations, etc) card & debit card thieving going on in the good ole’ United States—-well, you know, then reality sets in.

    I then think: protect yourself, Belli, in any way you can…….

    Mr. Krebs, maybe it’s time to start ‘public-shaming’ companies (especially ones over a certain size) that are still relying on magnetic-card-swiping technology?

    For example, I took the whole family out to a Macaroni’s Grill we had come across while visiting a relative in another State.

    Now, I knew from reading WSJ over the years, that Macaroni’s Grill is owned by Brinker International—a near 60,000 employee-sized, NYSE publicly-traded (symbol: EAT) mutlinational company that is in the hospitality industry business. They also, among other things, own Chili’s & Maggiano’s Little Italy restaurant chains.

    So I had no worry about paying with my chip-based card, right? Didn’t even give it a second thought, actually.

    Well, when the check came, I took out my chip-based card and had no problems with the waiter taking it since where the payments processing area was only ~12 feet from our table & in my direct line of sight.

    I then paid attention to that payments area, seeing one other waiter gathering there and watched in abject shock as that other waiter (with his back towards me) perform that strangely familiar arm-motion.

    Bounding out of the booth, I hit the payments area immediately. No chip-based readers. Only mag-swiping readers. My jaw fell open and I grabbed the elbow of our waiter & said to come back with me to our table where I pulled out two Benjamins to pay.

    I just could not and still can not believe, from a massive hospitality company like Brinker, this occurred? Mag-technology? In 2019?? My Gawd…….someone please tell me this was a one off restaurant location for Brinker and not still the S.O.P at all their locations & establishments.

    I slink even further down in my chair as I write this forum post & nervously check my wallet wondering about the remaining Benjamins in my wallet and I am carrying enough of them.

    Protect yourself, Belli, proactively protect yourself.

    1. Whoever

      @belli, I bet the waiter was even more shocked when he saw you walk in wearing that pointy hat lined with aluminum foil. Jeez, get a grip.

    2. Gnecht

      The Benjamins in the wallett… what proactive protection do they get?

    3. somguy

      The liability shifted (with most things except gas stations), but STILL lots of places use mag swipe instead of chip. They just aren’t hurting enough yet. So yeah TONS of places even big name places still use mag swipe.

    4. Kwirk

      I keep at least 3 credit cards with different banks.

      I use the first card for recurring payments with presumably reliable entities and for nothing else. After many years I’ve never had to replace this card.

      I use the second card for all other transactions. I expect that this card will be episodically compromised and need replacement (takes about 2 days). I have every possible transaction alert activated for this card. Neither I nor, surprisingly, the bank has lost any money on this card.

      I use the third card as a backup while waiting for the second card to be replaced, roughly once per year.

      I spend my worry time thinking about the overall security of the large entities (eg Vanguard) that hold my money. I hope they have their sh*t together but, after seeing other entities with their data totally wiped, I dunno.

      1. Bill

        Are Credit Card transactions more secure?
        Do they have to have chip technology too?

        I go to Hy Vee on average 2 times a week. If I insert my chip debit card at the Liqure store, Star Bucks and Self Service POS checkout and Regular Checkout lanes, are these all safe?

        Is there a way to determine which transaction at Hy Vee are swipe versus Chip inserted ATMCharges/Payments?

    5. timeless

      I’d encourage you to complain via Twitter (you’re welcome to write a letter to the companies’ executive office as well, that will get a response) — Twitter is surprisingly effective (especially if you get your friends, or fellow blog readers, to retweet).

    6. Marti

      Yes, the overreaction at the mag swipe is a bit much. I’d also have a real problem if any customer touched me. Stay in your lane.

  9. Readership1

    With all the money the thieves make, they could buy a large range of IP addresses.

  10. Jim

    Ah, good article. That one has not been reported locally yet. But they are here.
    I liked the belli comment. About the pos terminals. And they, all of us, have to remember, those things cost money. And it’s the resturantuer who has to pay for it. Do they get the newest and the best? Or one they can afford. That dollar difference means profit or loss. And you don’t stay open at a loss. And the newest ones, cost a lot more. To get open, which would you buy or rent?
    On the Hy-Vee security story? I wouldn’t get my wallet on separate systems. Bad outcomes are an trial, based on multiple attempts. They probably have not stopped yet.

    1. Matt

      If by local, you mean in Iowa, then you’d certainly be wrong:

      https://whotv.com/2019/08/14/hy-vee-warns-customers-of-data-breach/

      https://www.kcci.com/article/developing-hy-vee-investigating-possible-data-breach/28702131

      https://www.desmoinesregister.com/story/news/2019/08/14/hy-vee-investigating-possible-customer-payment-system-vulnerability-wahlburger-fuel-restaurants-data/2011069001/

      https://www.kcrg.com/content/news/Hy-Vee-discloses-possible-data-breach-involving-payment-processing-542687821.html

      I know no one has any sympathy for the victim companies, but thinking through the implications here…very few customers will have an impact from theft of the cards. They’ll just get replaced. I wonder if the most impact to customers is going to be increased prices for groceries. Hy-Vee is one of the most significant grocery chains left in Iowa. We do have Walmart/Target, but Hy-Vee doesn’t have a ton of competition in some areas.

      1. Sandy Taylor

        The victims here are the financial institutions. They are the ones that pay 4-5 dollars each to replace the card and they are the ones that reimburse the customers for losses. The customers will eventually suffer from higher bank fees to cover all of these losses.

        1. spagafus

          In these scenarios the “customers” are the merchants who pay dearly for non-compliance and violations like breaches. Not only does their reputation suffer but their cost of doing business with the financial institutions and accepting payment cards for transactions goes up. They may try to pass that on to their own customers but competition in retail is high so in the end it’s in their best interest to protect the data or suffer the losses.

    2. bobbybino

      Those new POS terminals may well be an expense a restaurateur would prefer not to make, but by making the choice not to purchase them, they take on the liability for any breaches on their systems, rather than the bank. Just one breach could easily bankrupt them.

      1. timeless

        Sadly, liability isn’t properly defined.

        Imagine this:

        1. AlphaBank issues you an EMV card, BetterCard.
        2. You go to a vendor with a swipe machine CrappyVendor.
        3. You make a purchase using BetterCard at CrappyVendor. Your card’s information is stolen here.
        4. Thief makes DummyCard based on the information stolen from CrappyVendor (marking card as EMV not available).
        5. Thief takes DummyCard to ElectedVendor which as a EMV reader.
        6. Thief buys something expensive from ElectedVendor with DummyCard.
        7. AlphaBank receives a request for funds from ElectedVendor and approves the request.

        Where should liability be in this?

        Personally, I’d want it to be with CrappyVendor. But the liability is probably with ElectedVendor, and the costs will probably be borne by AlphaBank and AlphaBank will pass those costs along to FullyEveryOtherVendor because it needs to recoup the money and can’t usefully push it back elsewhere.

  11. Jay

    How many customers even ask if the restaurant or other retail establishment has and uses chip readers? Which fuel chains have chip readers at the pumps? None yet, I suspect. I walk in to the counter at the Sunoco gas station to use the chip reader, and go elsewhere if it doesn’t have one. It may be inconvenient, but not nearly so much hassle as having to deal later with the results of a skimmer.

    1. DavidD

      Gas stations received an extension on the deadline to migrate to chip card devices to October 2020 and the liability for fraudulent transaction at their mag stripes terminals is still with their merchant banks.

      1. Robert.Walter

        If there is one industry with more than adequate cash flow to have been first in line with nfc and chip readers it is big oil. Why they weren’t required to assume full liability in exchange for reviving their 2 year delay in implementing is beyond me (except too much power being wielded inappropriately.)

    2. IGoogledIt

      I live outside Sacramento California and the majority of gas stations I go to all have chip readers. So do all the grocery stores, liquor stores, and restaurants. Its pretty rare to see somewhere without one (unless they are using stupid square for payments, square needs to step up their game).

      1. John J.

        Square has NFC & chip support; it’s on the merchants to update their readers.

  12. Kjohnson

    So when they installed the HyVee Market Grilles and Wahlburgers SPOD’s inside the store they went on the cheap on these POS Systems? Or were they using a different cash register system that was not up to snuff?
    When will Visa/MasterCard/Etc put a hard requirement on these POS Systems and hold these merchants liable? We continue to see this can being kicked down the road at the expense of the consumer data and credit.
    I’ve given up in believing that merchants care and have gone back to pulling cash out for my weekly transactions as well as Gift cards. At least when I leave the store I know that ENDS my transaction with no re-course worries. (Data/CC #/My Time)

    1. Readership1

      You ask a lot of foolish and irrelevant questions.

      Your time is not worth a damn, because you’re not the victim or the provider of card data. The only ones affected are banks and merchants.

      You have no liability here, no responsibility, and no skin in the game. You use their cards on their equipment to use their money to pay for your groceries. Then you whine about it! Adults pay for things themselves, immediately.

      Quit your whining and use cash, kid.

    2. timeless

      Gift cards are a bad idea for all sorts of reasons.

      Use normal credit cards. Liability is capped at $50. As mentioned elsewhere, have 4 cards, one for recurring transactions, one for online transactions, one for in person transactions, one for when one of the cards is compromised.

      Never use debit cards.

  13. spagafus

    Oh boy. This is going to cost Hy-Vee (or their payment processor) a pretty penny.

      1. spagafus

        Seek and you shall find. The below is as of 2017 and the 2013 breach is still costing them money. Just because it’s not making headlines it doesn’t mean Target is not affected to this day.

        A report at SSL Store says the payout has hit $292 million already, and this figure does not include the several lawsuits that are still outstanding.

        The list of costs includes:
        $10 million paid in a class action lawsuit to affected consumers in March 2015.
        $19 million paid to Mastercard in an April 2015 settlement.
        $67 million paid to Visa in August 2015.
        $39.4 million paid to banks and credit unions for losses and costs related to the breach, in a December 2015 settlement.
        $18.5 million settlement.

        Long term impact of payment card data breaches like the above applies to any company accepting and handling payment cards.

        1. vb

          Message to all large retailers: segment your systems.

          Target was breached through their admin system. I would not be surprised if Hy-Vee was also breached the same way. Thick-headed retailers need to learn from other’s mistakes.

  14. JimV

    Hope the winner of this particular “miscreant’s jackpot” is eventually nailed, brought into court and given an appropriate term at some Federal prison that’s rather less pleasant than the more comfortable “Club Fed” versions….

  15. Wayne H

    In Iowa, the gas pump prompts you to swipe your credit card then prompts you to (optionally) swipe your HyVee rewards card. The rewards system knows your name, email address, any discounts due at the pump and coupons you have selected. I presume the rewards card data was collected by the same malware. I wonder how marketable the rewards data is?

  16. sufagaps

    I’m in a country where chip-and-pin / tap is pretty much 100% adopted. I can’t remember the last time my payment card went through a basic swipe except when I was in other countries. Here is what I worry about: eventually the US will spend the money on new payment terminals and chip-and-pin will be commonplace.

    So what will the bad guys do then? Focus more on online stores where there is no chip? Will the chips themselves be a focus for the attackers? Whatever they do, it will be bad for me.

    When I am encouraging people to adopt more modern security practices, I use the analogy where you’re walking with a friend in the woods and come across and starving bear … you don’t need to outrun the bear. Just your friend. If your security practices are better than most then you are a smaller target. Right now the US is my slow friend and I kind of like it that way.

    1. timeless

      Brian has noted that in places w/ EMV adoption, CNP (Card Not Present) fraud has gone up (not fully compensating, but that’s the answer to where the fraud is going).

      So, roughly, expect more attacks against online vendors.

  17. DavidD

    “Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.” – Maybe I need to get around more but are there really big box stores in the mid West that haven’t migrated to POS chip card devices? That’s most definitely penny wise and pound foolish considering the liability shift for this crime is now on merchants (gas station terminals were allowed an extension until 2020).

    1. timeless

      The credit card protocol has all sorts of backwards compatibility layers.

      Big boxes want sales. If your chip isn’t working, or your card claims it doesn’t support chip, they’ll still try to make the sale. It’s up to the payment network and issuer to decide thumbs-up/thumbs-down.

      Eventually this will change (I think mostly this needs to be changed by the issuer).

      1. Vog Bedrog

        +1 on the issuer controls.

        I work for a card issuer, and started gradually implementing mag stripe controls long ago. At this point we decline virtually all mag stripe transactions worldwide, and haven’t experienced counterfeit card fraud in years. All of which you’d think would be standard across the industry – but, based on conversations with contacts at other banks, is sadly far from the case.

  18. DaveR

    No one seems to care how the dummy card stash are then allowed to be used at the merchant nearest you. You would think with the liability shift, POS chip card migration would be done by now. Heck, the dummy card stash will probably be used at the same Hy-Vee restaurants/gas stations again if Hy-Vee officials choose not to ID the customer at magnetic strip POS terminals. Simple identification of the cardholder would stop much of this at magnetic strip POS terminals. Saying that, I suppose most of the subject dummy card stash will be used for “card not present” etransactions moving forward. Yikes!

    1. timeless

      Pretty much all merchants have established ~do not interfere~ policies for their sales folk. Given the risk of someone pulling out a weapon, the liability is much lower merely allowing the theft to occur and billing insurance than having to deal w/ insurance claims relating to bloodshed.

      This means someone can actually try 3-10 plastic cards one after another until one works, and clerks will not interfere.

      This is better than having other customers in line getting attacked or having the sales staff attacked.

      The PR costs from violence are much higher than the insurance costs due to theft. (I don’t want to look for theft numbers comparing staff w/ CC fraud, but in some places loses due to staff based theft is definitely higher.)

  19. Mark

    This happened to my card. Call you bank, close your card.

  20. PattiMichelle

    As a recently retired USAF/SMC scientist, I have kept my physics/chemistry “eye” on the increasing stress on the global money/credit system supporting our complex civilization (Rockstrom, Wadhams, Anderson, et al.). A big concern which has emerged is the fragility of the money system (Bendell, Read, etc.). That is, maybe a serious problem with part of the electronic money system, occurring in one country, would shut down someone’s ability to buy food in another country, creating a local crisis in the second country. I’m trying to understand details of how this would be possible, although that may not be closely related to the content of this article. Still, thanks for the reporting, and I look forward to some more details, as publicity statements from Hy-Vee are essentially useless as information.

    1. PattiMichelle

      (…of course, the point being in how to prepare, i.e., make yourself and your local community less vulnerable to such crises.)

  21. bobbybino

    Maybe the Apple Card is the solution to having to use the mag stripe on the card. After each time you have to swipe the card, you can request a new physical card number in the Wallet app.

  22. Bill

    My experience and where I think the problem really resides is at odds with most of the comments here. I had a credit card hacked at 8PM EST for about $100 at a Papa Johns 900 miles away. Within 4 hours I had the name and address of the hacker who received the food, I had the police there and they were arrested and held in prison for 3 days. Two months later they were prosecuted by the City Attorney’s Office and forced to agree to a plea deal which will effect their lives for the next 24 months.
    At no point in this process after 6 calls and letter to their Board of Directors would the credit card company/bank assist by calling the police, participate in the prosecution or lend any resources to assist in punishing these people, that I caught for them.
    The bottom line is that the credit card companies/banks run phony Security Departments which are unreachable even by the equally phony and useless Security people you initially contact when calling in a hack. The credit card companies/banks refuse to in any way engage with law enforcement even if the crooks can be apprehended real time. They have made this a crime that has no punishment or consequences and thus the epidemic we are confronted with

    1. Beeker25

      Same thing happened to me. I had someone purchase a airline ticket so I contacted the bank and going through the process of getting a new card which they promptly ripped up my card. I tried the process of calling the airline in question so I can have the person apprehended when they board whatever airline. I was asked for the last 4 digit of the card so airline CSR can tell me. Since the card is ripped up, I couldn’t provide it.

      It is possible that you can get the identity of the perpetrator and prosecute them. To the bank, it is much easier to get a new card rather go through the process of passing the information to law enforcement to nip it in the bud.

      So good for you of getting the perp.

  23. weirdcrap

    Definitely wasn’t just the gas pumps and grills. Recently moved to a city with a hy-vee, literally never shopped there before.

    Spent $5 for qtips and rubbing alcohol at a checkout lane in the store and just got my card canceled for being in the breach.

    Never shopped there before, and will never be going back.

    1. Real Mccoy

      @ weirdcrap, a number of different sites within every store was compromised. It is your choice to not shop at this chain ever again, however it is unlikely that it was due to gross negligence on the merchant. This level of malware just catches the best known businesses from large hotel chains, food chains, retail stores, airlines, and so on. Even with security vendors the attacks vectors make every business a target. Performing chip or contact less transaction will help mitigate YOUR information from being compromised, but attackers will always be a constant threat. Typically, the businesses that have been heavily compromised in the past tend to be the safest now (some don’t learn) as they have invested heavily in cyber, and payment security. Too early for Hy-Vee at the moment, but granted changes once a full assessment and investigation has concluded.

  24. Chris

    Honestly if they don’t know when it started or ended. And don’t know what was used to do it.

    Technically is could still be acquiring new CC #’s.

  25. Sean

    I will be filing a class action lawsuit on behalf of the 24,000+ members of my bank that were affected. As a consumer I am sick and tired of having to replace my account information every time I get a new card. Time to get someone’s attention.

Comments are closed.