In the middle of August 2019, convenience store and supermarket giant Hy-Vee reported a data breach incident involving its point of sale systems. Few details about the breach were initially given; however, it took about a week for cyber security researchers to take a closer look at the situation and provide more information on the matter. Before discussing some of the known details about the breach, it should be noted that it does not directly involve credit card processing insofar as clearing payments; it is isolated to point of sale equipment and its supporting data network.
Hy-Vee is a major brand in the American Midwest; the company operates convenience stores, supermarkets, snack bars, and gas stations from South Dakota to Missouri plus six other states. As can be expected from a merchant of this magnitude, many locations handle payments through a shared point of sale (POS) network. What is known thus far about the incident is that hackers targeted the POS and credit card reader terminals at the company’s gas stations, cafes, Market Grille restaurants and Wahlburger fast-food eateries. The POS and credit card processing systems at Hy-Vee supermarkets and convenience stores were not affected because they operate on a separate network.
According to an investigation by Brian Krebs, a respected information security researcher, the Hy-Vee breach resulted in the theft of about five million credit and debit card numbers from customers in 35 states as well as from a few countries in Europe and the Middle East. Unfortunately, these records found their way to underground cybercrime markets where they are being sold for malicious purposes. The specific market mentioned by Krebs is known as Joker’s Stash, and the name of the data dump is “Solar Energy;” the sellers are asking between $17 and $35 per record.
Since Hy-Vee is still investigating the breach, individual cardholders who may have been affected have not been notified; moreover, the locations and the specific times when the transactions were compromised have not been revealed. Another aspect of the investigation that has not been mentioned is related to the breach mechanism, but the Krebs report hinted that the POS network may have been infected with malware that intercepted data stored in the magnetic stripe of the cards. POS equipment at Hy-Vee supermarkets, convenience shops, and drugstores feature point-to-point encryption, but this does not seem to be the case in the POS equipment installed at the affected Hy-Vee gas stations, cafes and restaurants.
While the Hy-Vee data breach can result in credit and debit card cloning, the company does not think that identity theft is something that shoppers should worry about because of the type of information stolen. Nonetheless, two lessons that merchants can learn from this case include: point-to-point encryption is always preferred for POS equipment, and cybercrime insurance policies are more important than ever. It is too early to tell if the burden of liability should fall on Hy-Vee or on the vendor managing the POS network, but this is something that merchants should think about. When credit and debit card transactions are encrypted from the reader to the terminal, data breaches are significantly mitigated. Should a POS or payments processor fail to protect transactions accordingly, a good insurance policy can shield merchants from legal complaints that may arise from a data breach.