Rutter’s has agreed to pay $1 million and improve security measures via an independent assessment as a result a cybersecurity attack that exposed information from more than a million of the convenience-store retailer's customer payment cards, according to the Pennsylvania Attorney General Michelle Henry.
The attacks happened over a nine-month span in 2018 and 2019, involving 79 store locations and more than 1.3 million payment cards. The payment card information was accessed electronically, not at any physical store locations.
The Office of Attorney General investigation determined that Rutter’s failed to properly employ reasonable data security measures in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.
“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Henry said. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.”
- Rutter’s is No. 82 on CSP’s 2023 Top 202 ranking of U.S. convenience-store chains by store count.
On May 28, 2019, Rutter’s first became aware of unauthorized activity on its network but concluded that customers’ payment card information was not stolen.
In December 2019, Rutter’s learned about a pattern of unauthorized charges associated with 30 Rutter’s store locations. As a result, Mastercard required Rutter’s to conduct an investigation. The independent investigator found that the threat actors were previously successful in removing information attached to at least 1.3 million different payment cards in Rutter’s network.
In January 2020, Rutter's experienced unauthorized access to data from payment cards used at some locations. The company launched an investigation and identified and removed malware installed on payment processing systems.
Rutter’s worked with PDI in July 2020 to add a data hosting service, which runs Rutter’s infrastructure environment on a dedicated, single-tenant, multi-petabyte private cloud that is fully managed and monitored by PDI. A petabyte is a measure of memory or data storage capacity that is equal to 2 to the 50th power of bytes. There are 1,024 terabytes in a petabyte and approximately 1,024 petabytes make up one exabyte.
The exact number of affected consumers is unknown, the AG's Office said, as is the number of fraudulent transactions resulting from the stolen card information.
Along with the $1 million payment, the settlement requires Rutter’s to conduct and document a risk assessment, undergo an independent settlement compliance assessment and implement security improvements, including:
- Information Security Program: Rutter’s must maintain a comprehensive information security program that is appropriately designed to protect the security, confidentiality, and integrity of personal information that it collects, receives, or processes.
- Password Management: Rutter’s must implement appropriate password management.
- Logging and Monitoring: Rutter’s must implement and maintain logging and log monitoring policies and procedures.
- Update Software: Rutter’s must maintain, keep updated, and support the software on its network.
- Disable service accounts: Rutter’s must disable service accounts that are no longer used for any legitimate business purpose.
- Incident Response: Rutter’s must detect and respond to suspicious network activity within its network within reasonable means.
Rutter’s is a privately held chain of convenience stores based in York, Pennsylvania. It operates 84 locations in Pennsylvania, Maryland and West Virginia.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.