5M Cards Exposed in Latest Breach

A data breach involving gas pumps, coffee shops and restaurants operated by Iowa-based Hy-Vee may have led to more than 5 million credit and debit accounts belonging to consumers from 35 states being compromised and sold online. Hy-Vee operates more than 245 supermarkets throughout the Midwest. The breach impacts consumers from 35 states.

According to KrebsOnSecurity, Hy-Vee announced earlier this month that was investigating a data breach involving its payment processing systems. The stolen accounts have already been advertised for sale on the dark-web.

Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems. But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

"Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware," reported Brian Krebs.

The Hy-Vee restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations owned and operated by the company. 

Upwards of 12 billion personal records have been exposed in data breaches since 2005. CUNA and the state leagues have been and will continue to press Capitol Hill lawmakers to establish a national data security standard that subjects all entities with access to personal financial data to the same privacy protections as financial institutions under Graham-Leach-Bliley, and holds any entity found responsible for a data breach liable for the resulting card reissuing and fraud costs.