Security researcher Brain Krebs has found that credit and debit card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, a chain of more than 245 supermarkets located throughout the Midwestern US.

Hy-Vee announced on August 14, 2019 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants. However, the supermarket chain said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware, KrebsOnSecurity mentioned.

The card data stolen from Hy-Vee is now being sold under the code name ‘Solar Energy’, at Joker’s Stash carding bazaar, with prices ranging from USD 17 to USD 35 apiece, the security researcher has found.