More than 5.3 million new payment card accounts on sale at an underground data market may be tied to the July data security event suffered by Hy-Vee Inc. at its fuel pumps, drive-thru coffee shops and restaurants, a security researcher announced this week. 

Card account records from cardholders in 35 U.S. states are being sold under the name “Solar Energy Breach” by Joker’s Stash, an online market known for selling compromised accounts such as those at the previously compromised Hilton Hotels and Bebe Stores, Brian Krebs at Krebs on Security reports.

Citing two unnamed sources, one of which Krebs said works at “a major U.S. financial institution,” Krebs reported at least some of the data in the “Solar Energy” package is tied to the Hy-Vee security event.

The accounts are being sold for between $17 and $35 a piece, Krebs wrote. The Joker’s Stash listing appeared on Aug. 20. 

Hy-Vee spokesperson Tina Pothoff said the company is aware of the claim and is working with card processors and the FBI. 

“[Krebs] makes note that this data dump comes from cards from 35 states and more than 100 countries. We’re in eight states in one country, [but] we’re still continuing to investigate it,” Pothoff told the Business Record. 

“As soon as we can narrow down the scope of this and potentially locations that were impacted, as well as potential cards that may have been impacted, then we will be reaching out to customers and putting out a public statement as well,” Pothoff said. 

Hy-Vee employees noticed internal discrepancies in late July and the company made its Aug. 14 announcement as soon as the security event was confirmed, Pothoff said. 

“We are not at a point where we are able to say locations or timeline, because we’re still in the middle of that investigation,” Pothoff said. “Sometimes these investigations can take several weeks ... but we obviously are working as efficiently as we can to try and get this completed so we can get additional information to customers.”

In the initial announcement, Hy-Vee said it believes payment transactions through grocery checkouts, wine and spirits departments, floral departments, pharmacies and Aisles Online were not involved.