Rutter’s Stores Pays $1 Million for Payment Card Data Breach

Pennsylvania Attorney General Michelle Henry announced a settlement with York-based convenience store chain, Rutter’s, regarding cybersecurity attacks that exposed information from more than a million customer payment cards.

The attacks happened over a nine-month span in 2018 and 2019, involving 79 store locations, and more than 1.3 million payment cards. The payment card information was accessed electronically, not at any physical store locations.

The attorney general’s office said its investigation determined Rutter’s “failed to properly employ reasonable data security measures” in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law

As part of the settlement, Rutter’s agreed to pay $1 million and to conduct and document a risk assessment, undergo an independent settlement compliance assessment, and implement security improvements.

Rutter’s does not admit to any wrongdoing in the settlement.

Rutter’s is headquartered in York and has 80 store locations in Pennsylvania.

On May 28, 2019, Rutter’s first became aware of unauthorized activity on its network, but concluded that customers’ payment card information was not stolen. In December 2019, Rutter’s learned about a pattern of unauthorized charges associated with thirty Rutter’s store locations. As a result, Mastercard required Rutter’s to conduct an investigation. The independent investigator found that the threat actors were previously successful in removing information attached to at least 1.3 million different payment cards in Rutter’s network.

The exact number of impacted consumers is unknown, as is the number of fraudulent transactions resulting from the stolen card information.

Topics Cyber Pennsylvania