Rutter's Reports Malware Attack on POS Systems

YORK, Pa. — Rutter's is enhancing its security following reports of unauthorized access to its payment data.

The convenience store retailer reported the malware attack on Feb. 13. According to the company, a third party reported the possibility of unauthorized access to data from payment cards that were used at some Rutter's locations. 

The retailer launched a subsequent investigation with the help of cybersecurity firms, and notified law enforcement.

"On Jan. 14, 2020, the investigation identified evidence indicating that an unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems," the company explained in a notice posted to its website.

As Rutter's explained, the malware searched for track data — which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code — read from a payment card as it was being routed through the payment processing systems.

The retailer is EMV-compliant at its inside POS terminals. The chip-enabled, EMV-compliant cards generate a unique code that is validated for each transaction, and the code cannot be reused, it explained.

"As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date (and not the cardholder name or internal verification code) were involved," according to the statement.

"In addition, it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given payment processing system. There is no indication that other customer information was accessed," it added.  

Rutter's noted that the security breach was not related to a handheld skimmer at the pump.

The security breach timeframe varied by locations; however, it generally fell between Oct. 1, 2018 and May 29, 2019.

Access to card data may have started as early as Aug. 30, 2018 at one location, and at an additional nine locations as early as Sept. 20, 2018. 

A list of the locations involved and specific timeframes is available here.

The company plans to contact those customers it can identify as having used their card at a location involved during that location's specific timeframe.

The malware attack did not involve Rutter's car washes, ATM's and lottery machines.

"The malware has been removed, and we have implemented enhanced security measures. We also continue to work to evaluate additional ways to enhance the security of payment card data. In addition, we continue to support law enforcement's investigation," Rutter's said.

"We regret this incident occurred and sincerely apologize for any inconvenience. Our family has been in business for over 273 years in central Pennsylvania, and we sincerely appreciate all of our loyal customers through the decades," the retailer said. "Our award-winning team is ready to serve our valued customers as we move forward from this incident."

York-based Rutter's is a privately held chain of 76 convenience stores in Pennsylvania, Maryland and West Virginia.

The incident at Rutter's follows a security breach at Pennsylvania-based Wawa Inc. In December, Wawa CEO Chris Gheysens said malware affected payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained on Dec. 12, as Convenience Store News previously reported.

In late January, Wawa alerted customers to possible criminal attempts to sell some customer payment card information online that was potentially involved in the previous data breach.