Security & Fraud

Hy-Vee Says Customer Credit Card Info Was Compromised

Hy-Vee Said Customer Credit Card Info Was Compromised

Des Moines, Iowa-based supermarket chain Hy-Vee said credit card information for an undisclosed number of customers were exposed in a data breach, according to reports.

“Hy-Vee takes the security of payment card data very seriously,” the company said in a statement on its website. “We want to make customers aware of an investigation we are conducting” into some transactions.

The number of locations that were affected is unknown. Hy-Vee operates 245 stores and called the breach a “security incident” that was related to payment processing systems at fuel pumps, drive-thru coffee shops and restaurants, which are on a different system than the in-store ones. 

Hy-Vee restaurants include Market Grilles, Market Grille Express and Wahlburgers. 

“After recently detecting unauthorized activity on some of our payment processing systems, we immediately began an investigation with the help of leading cybersecurity firms. We also notified federal law enforcement and the payment card networks. We believe the actions we have taken have stopped the unauthorized activity on our payment processing systems,” the company said.

The systems that are being investigated for the data breach use point-to-point encryption, which supposedly makes seeing card data virtually impossible.

“Based on our preliminary investigation,” Hy-Vee said, “we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

The company said it would reach out to customers when more information became available. 

“It is always advisable to closely monitor your payment card statements for any unauthorized activity. If you see an unauthorized charge, immediately notify the financial institution that issued the card because cardholders are not generally responsible for unauthorized charges reported in a timely manner. The phone number to call is typically located on the back of the payment card,” the company said.



The pressure on banks to modernize their payments capabilities to support initiatives such as ISO 20022 and instant/real time payments has been exacerbated by the emergence of COVID-19 and the compelling need to quickly scale operations due to the rapid growth of contactless payments, and subsequent increase in digitization. Given this new normal, the need for agility and optimization across the payments processing value chain is imperative.