Cyber Incident Victim: Hy-Vee
Date:
Jul 2019
Location:
United States of America
Summary
Hy-Vee experienced a point-of-sale breach affecting card transactions at certain fuel pumps, drive-thru coffee shops, and restaurant locations, including Market Grilles and Wahlburgers. The breach did not impact grocery stores, drugstores, convenience stores, or online transactions due to differing encrypted payment systems. Unauthorized activity was halted through remedial actions, though specific compromised locations remained unclear during initial investigations. The supermarket chain advised customers to monitor card statements for suspicious charges and promptly report unauthorized transactions to their financial institutions. Impacted payment systems were isolated to select dining and fuel services, with core retail operations unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Hy-Vee, a major US supermarket chain operating over 250 stores, publicly disclosed a point-of-sale (PoS) system breach on August 14, 2019, following an internal discovery of unauthorized activity. The compromise affected payment processing systems at specific customer-facing venues: fuel pumps, drive-thru coffee shops, and restaurant outlets including Market Grilles, Market Grille Expresses, and Wahlburgers. Card transactions conducted at these locations were potentially intercepted by attackers, though the company did not specify the intrusion method or duration. Hy-Vee confirmed its core retail environments—grocery stores, drugstores, and convenience stores—remained unaffected due to their use of a separate PoS system with encrypted transaction data described as "unreadable." Similarly, web-based transactions processed through Aisles Online were not compromised. The company stated immediate containment actions had halted the breach but provided no technical details regarding detection timelines or forensic methodologies.
Hy-Vee acknowledged limitations in its investigation's preliminary phase, preventing disclosure of specific impacted locations across its multi-state operations. The organization committed to providing updates as the inquiry progressed but offered no estimated timeline for completion. In its public advisory, Hy-Vee directed potentially affected customers to monitor bank statements for unauthorized charges and promptly notify issuing financial institutions, noting cardholders typically bear no liability for timely-reported fraudulent transactions. The breach notification did not quantify the number of compromised payment cards, reveal evidence of data misuse, or attribute responsibility to any threat actor. No ransomware deployment, data exfiltration claims, or secondary impacts beyond payment card risks were documented in the initial disclosure.