The Pennsylvania and West Virginia convenience store chain Rutter’s was subjected to a POS skimming attack for at least seven months affecting card readers inside some stores and at gas pumps.
Rutter’s was informed of the problem by a third party and on January 14, 2020 a company investigation confirmed a data breach did take place. The general time frame the malware was present ranges from October 1, 2018 through May 29, 2019. One location was hit earlier, starting August 30, and nine others were infected starting on September 20. Rutter’s owns and operates 72 locations.
"Besides the obvious issue with the malware being installed, it is concerning that the malware was in place for almost nine months and was only discovered by being reported by a third party. When handling large amounts of customer data, it is imperative that organizations monitor and test systems to ensure the safety of the data being handled," Erich Kron, security awareness advocate for KnowBe4, told SC Media.
The company believes the POS systems at some fuel pumps and inside some of convenience stores were through malware installed on the corporate payment processing systems. The malware has been removed.
“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the payment processing systems,” the company reported.
Rutter’s did note that chip (EMV) cards used in chip readers located inside stores only gave up the card number and expiration date and no additional information. Also, POS systems in Rutter’s car washes, ATM’s, and lottery machines in were not involved.
Gas pumps must have EMV capability starting on October 20, 2020. Ruston Miles, chief strategy officer at Bluefin, said this deadline has encouraged many retailers to delay putting the chip readers in place prior to the required date which puts them at risk.
"Hackers understand that gas stations will be upgrading their pumps to newer security technology ahead of this deadline, so they want to get in and obtain card data before that upgrade," he said.
The company is notifying by mail customers who were known to have used their cards at the affected locations and for whom the chain has an address.
Rutter's is not the first Pennsylvania-headquartered gas station and convenience store to be hit. Wawa reported in December that it was hit with a similar breach that began on March 4, 2019 with all of its stores most likely being compromised by April 22. The company discovered the issue on December 10, 2019.