Breach Brief, HyVee, State Farm, Choice Hotels
Hy-Vee Markets warned customers last week after staff discovered a security breach on some of its point-of-sale (PoS) systems. The chain operates 248 stores throughout the midwest.
According to the company card transactions at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses, and Wahlburgers) may have been recorded by hackers. The store has advised custmers that point of sale card readers at Hy-Vee grocery stores, drugstores, and convenience stores have not been impacted by the breach.
Although it is not know who carried out the hack the card numbers and customer data has begun to show up on the dark web.
According to Krebsonsecurity.com 5.3 million accounts have appeard for sale on the underground website Joker’s Stash. The accounts belong to cardholders in 35 states and are being sold for beween $17 and $35 each.
A Hy-Vee spokesperson said the company is aware that customer data is for sale on the dark web and “is working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts.”
Consumers are urged to keep an eye on bank and card accounts and credit reports.
Atlanta based Focus Brands, owners of Moe’s Southwest Grill, Schlotzsky’s and McAllister’s Deli restaurants reported a data breach. According to a company spokesperson the investigation “is focused on transactions that occurred from April 2019 into July 2019.”
The company has not said which restaurant locations the breach is tied to nor how many customer may have been affected, only that the investigation is ongoing.
Choice Hotels has been hit by a massive data breach of information from guests who stayed at Choice Hotels and its subsidiaries. Choice Hotels operates 14 different hotel brands that include Comfort, Sleep Inn, Quality Inn, Clarion, EconoLodge and Rodeway Inn. The data breach may impact as many as 700,000 Choice Hotel Customers.
ConsumerAffairs.com reported that the Choice Hotels data breach resulted from hackers discovering an unsecured database containing 5.7 million Choice Hotel records. The database contained names, email addresses and phone numbers of former guests. Choice Hotels claims most of the data was “test data.” However, the database was left unprotected online for four days before being discovered by a security team.
Hackers who found the unsecured database left a ransom note demanding a Bitcoin payments of .4b or $4,000 claiming the database had been downloaded. Choice Hotel owners said the ransom demand was “not successful.”
Choice Hotels says it’s continuing to investigate the data leak and will no longer be working with the vendor who hosted its data.
The nation’s largest property and casualty insurance provider has been compromised in a credential stuffing attack. State Farm Insurance filed a data breach notification with the California Attorney General on Wednesday, Aug. 7
Credential stuffing is an attack where hackers obtain usernames and passwords that were leaked from a previous data breach attack and use those credentials to log-in to other accounts and sites. This type of attack works against people who use the same password across multiple websites.
State Farm admitted the data compromise in a “Notice of Data Breach” email. The company stated the attacker did get customer usernames and passwords of some policyholders’ accounts. But BleepingComputer.com reported that no personally identifiable information was viewable, and no fraud was detected. It is unknown if the attacker was able to log into the accounts.
State Farm has notified all account holders affected and reset all passwords for the accounts whose credentials were breached by the hacker.