BreachExchange mailing list archives
Stolen credit, debit card accounts for sale on black market may be linked to Hy-Vee data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 26 Aug 2019 09:12:56 -0500
https://www.desmoinesregister.com/story/news/local/2019/08/23/hyvee-data-breach-cyber-security-stolen-credit-debit-card-accounts-wahlburgers-gas-pumps-coffee-shop/2094843001/ Credit and debit card accounts linked to a data breach at select Hy-Vee locations may be the source of data from 5.3 million accounts being offered for sale online, information security investigator Brian Krebs has reported. Two anonymous sources, including one at an unidentified major U.S. financial institution, told Krebs that information stolen from accounts linked to the Hy-Vee breach is being sold under the code name "Solar Energy" at "Joker's Stash carding bazaar," a website where stolen credit and debit card data is resold. Hy-Vee notified consumers on Aug. 14 that it was investigating a possible data breach in some of its payment processing systems, specifically card transactions at fuel pumps, drive-through coffee shops and its Market Grille, Market Grille Express and Wahlburgers restaurants that Hy-Vee owns and operates. Hy-Vee spokeswoman Tina Potthoff told Krebs this week that Hy-Vee was aware of reports from payment processors and card networks that payment data was being sold on the dark web. But Potthoff on Friday questioned some of the claims linking Hy-Vee to the availability of stolen data from millions of accounts. "The dark web was advertising data being sold from cards from 35 states and more than 100 countries," Potthoff said. "Hy-Vee has stores in eight states in one country." Potthoff said Hy-Vee has been in contact with card payment companies and is conducting an ongoing investigation. However, she said Hy-Vee hasn't found a way to independently determine how much of the data from the breach it is investigating may be available on the dark web. "It is possible some cards are from incidents that occurred at other merchants," she said. Hy-Vee has not yet been able to pinpoint locations where security breaches occurred or a definitive timeline, Potthoff said. "We are working as quickly as possible to complete our investigation so we can get additional information to our customers," she said. Card account records are being sold for between $17 to $35 apiece on the Joker's Stash, according to Krebs. In a statement released last week, Hy-Vee said payment systems at its satellite institutions weren't guarded with the same encryption technology as point-of-sale payment systems at Hy-Vee grocery stores, drugstores or convenience stores. According to Lynn Hicks, spokesman for Attorney General Tom Miller, Hy-Vee has not reached out to the attorney general's office, which businesses are required by law to do if a data breach affects more than 500 customers. The attorney general's office hasn't received any consumer complaints, nor can it confirm the number of customers affected, Hicks said. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Stolen credit, debit card accounts for sale on black market may be linked to Hy-Vee data breach Destry Winant (Aug 26)