Cyber Incident Victim: Rutter's
Date:
Aug 2018
Location:
United States of America
Summary
A U.S. convenience store and gas station chain experienced a point-of-sale malware infection impacting 71 locations, compromising customer credit card information including card numbers, expiration dates, and verification codes. The malware targeted payment processing systems, though chip-enabled transactions limited data exposure to card numbers and expiration dates without capturing names or verification codes. Not all payment cards used at affected sites were compromised, and car wash, ATM, or lottery transactions remained unaffected. The company established a dedicated call center for inquiries and advised customers to monitor statements for unauthorized activity. This incident aligned with broader cybercrime trends targeting fuel dispenser merchants and restaurant POS systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Rutter's, a family-owned chain operating convenience stores, fast food restaurants, and gas stations across Pennsylvania, Maryland, and West Virginia, disclosed on February 13, 2020, that 71 of its locations were compromised by point-of-sale (POS) malware designed to steal customer payment card data. The breach impacted POS devices at convenience stores and fuel pumps, with varying timeframes across locations spanning from October 1, 2018, to May 29, 2019. One location experienced potential data access as early as August 30, 2018, while nine others were affected starting around September 20, 2018. Attackers used malware installed on payment processing systems to capture card numbers, expiration dates, and internal verification codes from magnetic stripe transactions. For EMV chip-enabled cards inserted into chip readers at convenience store POS terminals, only card numbers and expiration dates were exposed due to the security features of EMV technology, which generates unique transaction codes. The malware did not compromise all cards used at affected locations, and no evidence suggested theft of additional customer information beyond payment card details. Transactions at Rutter’s car washes, ATMs, or lottery machines remained unaffected by the incident.
Upon discovering the breach, Rutter’s issued a public notification advising customers to review payment card statements for unauthorized charges and contact their card issuers immediately to dispute fraudulent activity. The company emphasized that cardholders are typically not liable for timely reported unauthorized transactions under payment card rules. Rutter’s established a dedicated call center operational on weekdays from 9:00 am to 9:00 pm to address customer inquiries and recommended placing free security freezes on credit files to prevent unauthorized account openings. Customers were also directed to file complaints with the Federal Trade Commission and local law enforcement if they suspected identity theft or fraud. The disclosure coincided with broader industry warnings, including a December 2019 VISA alert highlighting elevated threats to North American fuel dispenser merchants from coordinated cybercrime groups targeting POS systems. This incident followed a series of similar POS malware attacks affecting other U.S. restaurant and retail chains beginning in October 2019.