Rutter's Reaches Data Breach Settlement With Pennsylvania AG

The security attack dates back to 2018 and 2019.
Melissa Kress
Executive Editor

YORK, Pa. — Rutter's agreed to pay $1 million as part of a settlement related to a data security breach over a nine-month period spanning 2018 to 2019.

The security breach involved 79 store locations and more than 1.3 million payment cards. The payment card information was accessed electronically, not at any physical store locations. Pennsylvania Attorney General Michelle Henry announced the settlement with the convenience store chain on Oct. 11.

According to the attorney general's office, its investigation determined Rutter's failed to properly employ reasonable data security measures in protecting consumers' sensitive personal information in violation of Pennsylvania's Unfair Trade Practices and Consumer Protection Law.

As part of the settlement, Rutter's also agreed to improve security measures via an independent assessment.

"This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time," Henry said. "This settlement involves significant financial payment, but also assurance that future risk will be minimized."

The convenience store retailer reported the malware attack on Feb. 13, 2020. According to the company, a third party reported the possibility of unauthorized access to data from payment cards that were used at some Rutter's locations. The retailer launched a subsequent investigation with the help of cybersecurity firms and notified law enforcement, as Convenience Store News reported.

As Rutter's explained at the time, the malware searched for track data — which sometimes has the cardholder name in addition to card number, expiration date and internal verification code — read from a payment card as it was being routed through the payment processing systems.

However, since the retailer is EMV compliant at its inside point-of-sale (POS) terminals, the malware only captured the card number and expiration date, not the cardholder name and verification code, of EMV cards inserted into the chip-reader on the EMV POS devices.

Based in York, Rutter's operates 85 convenience stores in Pennsylvania, Maryland and West Virginia.

This ad will auto-close in 10 seconds