The Pennsylvania and West Virginia convenience store chain Rutter’s was subjected to a POS skimming attack for at least seven months affecting card readers inside some stores and at gas pumps.
Rutter’s was informed of the problem by a third party and on January 14, 2020 a company investigation confirmed a data breach did take place. The general time frame the malware was present ranges from October 1, 2018 through May 29, 2019. One location was hit earlier, starting August 30, and nine others were infected starting on September 20. Rutter’s owns and operates 72 locations.
Besides the obvious issue with the malware being installed, it is concerning that the malware was in place for almost nine months and was only discovered by being reported by a third party. When handling large amounts of customer data, it is imperative that organizations monitor and test systems to ensure the safety of the data being handled,” Erich Kron, security awareness advocate for KnowBe4, told SC Media.
The company
believes the POS systems at some fuel pumps and inside some of convenience
stores were through malware installed on the corporate payment processing
systems. The malware has been removed.
“The malware
searched for track data (which sometimes has the cardholder name in addition to
card number, expiration date, and internal verification code) read from a
payment card as it was being routed through the payment processing systems,”
the company reported.
Rutter’s did
note that chip (EMV) cards used in chip readers located inside stores only gave
up the card number and expiration date and no additional information. Also, POS
systems in Rutter’s car washes, ATM’s, and lottery machines in were not
involved.
The company is notifying by mail customers who were known to have used their cards at the affected locations and for whom the chain has an address.
Rutter’s is not the first Pennsylvania-headquartered gas station and convenience store to be hit. Wawa reported in December that it was hit with a similar breach that began on March 4, 2019 with all of its stores most likely being compromised by April 22. The company discovered the issue on December 10, 2019.