US store chain Rutter’s disclosed a security breach today. The company says hackers gained access to its stores’ network system and planted malware that collected payment card details as they were being processed.
For most locations, the malware was present between October 1, 2018 through May 29, 2019, however, for some stores, the infection timeline is different. See this page for details about the infection timeline of Rutter’s stores.
Rutter’s said the malware collected data from payment cards swiped through point-of-sale (POS) devices installed inside convenience stores and some of its fuel pumps.
In most cases, the malware is believed to have collected for the user’s name, card number, expiration date, and internal verification code. For users who paid with cards at an EMV-capable POS device, Rutter’s said it believes the malware collected only the card number and expiration date.
The store chain said that payment card transactions at Rutter’s car washes, ATMs, and lottery machines were not impacted.
Rutter’s learned of the breach from a third-party
Rutter’s said it learned about the incident following “a report from a third party.” It didn’t say when it learned of the malware infection, but that the investigation into the incident concluded a month ago, on January 13, 2020.
The store chain said it removed the malware from its payment systems, reported the incident to law enforcement, and is now notifying impacted customers.
In December 2019, payments processor VISA published a security alert about multiple incidents involving POS malware at gas pumps across North America.
It is unclear if Rutter’s was one of the companies mentioned in the VISA alert. Wawa, another US convenience store that operates gas pumps, disclosed a POS malware incident. Wawa’s data ended up for sale online, on a dark web carding shop, and is considered one of the biggest card data dumps to date.
Rutter’s operates convenience stores and gas stations across more than 70 locations in Pennsylvania, West Virginia, and Maryland.