Several area Hy-Vee Market Grille and fuel pump locations were among those affected by a malware data breach that the grocery chain discovered July 29.
On Thursday, Hy-Vee released the list of locations it believes had been possibly affected when malware designed to access payment card data from point-of-sale devices popped up in December and January and continued into the summer.
Those included four locations in Independence (Market Grille and fuel pumps being separate locations), one in Blue Springs, four in Lee's Summit and two in Raytown.
Hy-Vee said it will send mail or email to customers it knows were possibly affected at a specific location and whose contact information the grocery chain has.
Hy-Vee said for some locations, the malware was not present on all point-of-sale devices at the location, nor did malware copy data from all the payments cards used at affected devices. The grocery chain could identify when the malware activity started and stopped at each location. The Market Grille and fuel pump locations use a different point-of-sale system than those inside the stores and pharmacies, etc. Those inside devices have point-to-point encryption technology for processing payment card transactions, Hy-Vee said, making the data unreadable.
The Independence locations were the Market Grille and fuel pumps at 1525 E. 23rd St. and at Noland Road and U.S. 40. The time frame on the Market Grille on 23rd was Jan. 15 through July 17 this year, while the fuel pumps were Dec. 14, 2018 through July 29. At Noland and U.S. 40, the Market Grille time frame was Jan. 15 through July 29, while fuel pumps were Dec. 14 through July 29.
The Blue Springs location was the Market Grille at 625 W. U.S. 40 (Jan. 15 through July 17).
In Lee's Summit the Market Grilles at Third Street and Ward Road and at Langsford and Rice roads got hit Jan. 15 through July 29, while the fuel pumps there were both Dec. 14 through July 29.
In Raytown, the Market Grille on Missouri 350 spanned Jan. 15 through July 17 and the fuel pump Dec. 14 through July 25.
In all, 32 locations and 10 in Kansas got hit with malware.
Hy-Vee said it first detected the unauthorized activity on its payment processing systems July 29 and immediately investigated and acquired help from cybersecurity firms. It also notified federal law enforcement and payment card networks of the breach. Hy-Vee first announced the investigation to customers Aug. 14 but had not narrowed down locations at that time.
Hy-Vee said the malware did not affect payment card transactions at the front-end checkout lanes, inside convenience stores, pharmacies, customer service counters, wine and spirits locations, floral departments and all other food service areas which use point-to-point encryption technology, as well as transactions from online orders.
The chain also urged customers at affected locations to review payment card statements for any unauthorized activity, report such activity to card companies, Federal Trade Commission and/or Attorney General's office and get free credit reports.