Convenience store chain Rutters has announced that it suffered a security breach, wherein hackers managed to access the company’s network system and install malware that compromised customers’ data.
The store chain made its announcement after a “third party” informed the company that there may have been unauthorized access to payment card data. Rutters launched an investigation and notified law enforcement of the breach.
The malware at the heart of the breach impacted the company’s stores in Pennsylvania and West Virginia, affecting Rutters’ POS devices installed inside convenience stores and several of the company’s fuel pumps. The malware collected customers’ payment card details as they were being processed.
Among the information generally believed to have been collected is customers’ names, card numbers, expiration dates, and internal verification codes. But for users who paid with cards at POS devices that accept EMV-capable cards, the malware collected only the card numbers and expiration dates.
A press release from Rutters said that for most of its affected locations, the malware was present between October 01, 2018 and May 29, 2019. Several stores, however, were affected by the malware for different periods of time.
Rutters said that it would identify customers who have used their card in an affected location and would send them an email notifying them of the data breach.
The store chain offered assurances that despite the breach, payment card transactions at its car washes, ATMs, and lottery machines were not affected. Rutters also said in its release that the malware has since been removed, and that it has implemented “enhanced security measures.”
Rutters added that it will continue to assess additional ways to improve payment card data security and that it would continue to support law enforcement’s investigation.
