Hy-Vee sign


WEST DES MOINES – Credit card information accessed from Hy-Vee, Inc. drive-through services customers included information from cards used in Clinton, the company’s website says.

A list of Hy-Vee stores and gas stations affected by malware found on some Hy-Vee credit card machines is available on its website, the company said in a press release Thursday.

Customers using Market Grille in Clinton from Jan.1 through July 29 and the Hy-Vee gas station in Clinton from Dec. 17, 2018 and July 25, 2019 may have been affected.

Hy-Vee reported the possible theft of credit card information to federal authorities and payment card networks in August.

After detecting unauthorized activity on some of its payment processing systems, Hy-Vee, Inc. enlisted cyber-security firms to help investigate, the company said.

The investigation identified malware designed to access payment card data from cards used on point-of-sale devices at certain fuel pumps, drive-through coffee shops and restaurants. The malware searched for track data, including the cardholder name, card number, expiration date and internal verification code, as it was being routed through the POS device, Hy-Vee said.

The malware was not present on all POS devices at the locations, and it did not copy data from all of the payment cards used, the company said.

A list of the locations involved and specific timeframes is available at www.hy-vee.com/paymentcardincident. The site also provides information about the incident and additional steps customers may take.

During the investigation, Hy-Vee removed the malware and implemented enhanced security measures, the company said. Hy-Vee will be contacting customers who have been affected if the company can identify them and find an email or mailing address for them.