The popular convenience store chain Rutter’s has reported that customer’s personal information was compromised at some of their Pennsylvania and West Virginia locations. According to a notice released by Rutter’s, they received a report from a third party indicating that the malicious actors accessed payment card data from point-of-sale devices at certain fuel pumps. Additionally, Rutter’s states that some of the payment processing systems inside the stores had malware installed on them.
The malware accessed cardholder’s names, card numbers, expiration dates, and verification codes. However, due to the temporary nature of EMV card codes, only the card numbers and expiration dates were truly compromised.
They make the distinction that while EMV cards and chip readers were involved in the data breach, the incident in not a Card Skimming situation. Additionally, Rutter’s car washes, as well as their in-store ATMs and lottery machines were not involved in the incident.
The time-frame for the card access spanned almost a year, from October 1st, 2018 to May 29th, 2019.
The notice ends with an apology and states that “The malware has been removed, and we have implemented enhanced security measures. We also continue to work to evaluate additional ways to enhance the security of payment card data. In addition, we continue to support law enforcement’s investigation.”
In addition to the statement, Rutter’s has released a payment card incident location tool in which you can select any location within the states of Pennsylvania or West Virginia to asses the locations and time-frames for each incident. This tool can help users figure out if they might be vulnerable from this attack.