Dive Brief:
- After detecting a customer payment data incident in July, Hy-Vee completed an investigation that found its payment systems were breached by malware, according to a press release.
- The malware attacked certain point-of-sale systems at Hy-Vee fuel pumps, drive-thru coffee shops, Market Grille and Wahlburgers restaurants and the cafeteria at the company's corporate headquarters in West Des Moines, Iowa. The malware searched for track data, which can include cardholder names, card numbers, expiration dates and security codes.
- Front-end checkout lanes, pharmacies, customer service counters, floral departments, clinics, wine and spirit locations were not affected. The malware attack took place on some cards used from December 14, 2018 to July 29, 2019 at fuel pumps and January 15, 2019 to July 29, 2019 at restaurants and drive-thru coffee shops.
Dive Insight:
After detecting some unauthorized activity on July 29, 2019, Hy-Vee notified federal law enforcement and payment card networks and began investigating the issue. The retailer has since removed the malware, implemented tighter security measures and worked with cybersecurity experts to find better ways to prevent this from happening in the future.
Data breaches of retailer payment systems are fairly common and can be difficult to stop, as malware is constantly adapting. However, the grocer's quick response to the breach and transparency with customers during the process should keep its reputation in good standing, which is important for the popular Midwest grocer.
In 2017, Target forked over an $18.5 million settlement to 47 states due to a 2013 data breach that affected 110 million customers. Also in 2017, the taprooms and restaurants at several Whole Foods stores were hit by a credit card hack. Payment system data breaches not only cost companies millions of dollars, but can also put customers' trust in the grocer at risk if they don't feel secure shopping.
Retailers are also collecting more data now than in previous years in order to personalize the grocery experience, but more data means more risk if a grocer is hacked. Companies need to be responsible in safeguarding that information, Lillian Hardy, partner at law firm Hogan Lovells, told Retail Dive.
Employees should also be trained to look out for data breaches and refrain from sending confidential information over platforms like email, Retail Dive reported. Retailers should prepare for cybersecurity attacks throughout all departments of the company and should also vet the security of third-party partners.