Key Food Stores Co-Operative, Inc. (“Key Food”) values the relationship it has with its customers and takes the security of payment card data very seriously.
Key Food is providing additional information about the payment card incident that was first reported on March 2, 2020.
Key Food conducted an investigation of the incident with its Co-Op members, notified the payment card networks and followed their investigation process, and continues to provide information to assist an investigation by law enforcement.
The investigation identified the installation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at some but not all Co-Op Member stores located in Florida between April 8, 2019 and January 24, 2020.
The POS devices at the store locations involved were EMV (chip) enabled. For EMV transactions at these locations, Key Food believes that only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).
For transactions where the magnetic stripe on the back of the card was swiped at the POS device, the malware could have found track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code).
There is no indication that other customer information was affected.
Customers can access a list of the locations involved and specific timeframes, as well information about additional steps they can take at http://www.keyfood.com/store/protectingourcustomers.
Not all locations were involved, and the specific timeframes vary by location.
During the investigation, Key Food removed the malware and implemented enhanced security measures.
Key Food also continues to look for additional steps to enhance the security of payment card data.
In addition, Key Food is working with the payment card networks so that the banks that issued the payment cards involved can be made aware.
Consistent with good practices, customers should closely monitor their payment card statements for any unauthorized activity.
Unauthorized transactions should immediately be reported to the bank that issued the card because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is typically on the back of your payment card.
For more information, visit www.keyfood.com