Cyber Incident Victim: Russell Stover Chocolates

Russell Stover Chocolates, LLC publicly disclosed a data security incident on August 30, 2019, after discovering unauthorized access to payment card data at its retail stores. The company determined that malware had compromised its point-of-sale (POS) systems, potentially exposing transaction data from cards used between February 9, 2019, and August 7, 2019. The breach exclusively affected in-store purchases, with no evidence of impact to online transactions through Russell Stover’s website. Upon detecting the intrusion, the company immediately launched an investigation with independent cybersecurity experts and implemented containment measures to eradicate the malware. The compromised data included consumers’ first and last names alongside payment card numbers and expiration dates, though no evidence suggested misuse of this information at the time of disclosure. Law enforcement and payment card networks were notified, and regulatory authorities were engaged as part of the response.

Russell Stover established a dedicated call center and informational webpage to assist affected consumers, operating under reference number DB14273. The company emphasized monitoring payment card statements for unauthorized charges while underscoring that cardholders are typically not liable for fraudulent transactions when promptly reported. Internal security enhancements included expanded employee training and technical improvements to prevent future incidents. No specific details regarding the malware’s origin, propagation method, or number of affected individuals were disclosed in the announcement. The investigation remained ongoing at the time of the public notification, with Russell Stover committing to further strengthen its security protocols.