Rutter’s, a chain of convenience stores and gas stations in the U.S., alerted its customers Thursday about a security breach that impacted its stores’ network system across 71 locations.
In a press release, the family-owned group of companies said that a point-of-sale (POS) malware has been installed to its payment systems inside its stores and gas pumps, thereby enabling attackers to steal customers’ credit card information.
“Rutter’s recently received a report from a third party suggesting there may have been unauthorized access to data from payment cards that were used at some Rutter’s locations,” the company wrote in a Notice of Payment Card Incident. “We launched an investigation, and cybersecurity firms were engaged to assist. We also notified law enforcement.”
According to the report, the specific timeframes of security breach vary by location, with the majority found to had been impacted between Oct. 1, 2018 through May 29, 2019 and the others might have been affected starting as early as Aug. 30, 2018 and Sept. 20, 2018.
Overall, 71 locations in Pennsylvania and West Virginia were said to have been affected by the incident, including the store on Route 61 in Hamburg. Among the personal details that were compromised in the breach include the customers’ card numbers, expiration dates, and internal verification codes from credit cards.
“In addition, it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given payment processing system,” the notice continued. “There is no indication that other customer information was accessed. Please note this incident is not the result of a handheld skimmer being placed on a Rutter’s fuel pump.”
To date, Rutter’s said it had already removed the malware from its system and had implemented enhanced security measures to prevent a similar incident from happening in the future. The group of companies also ensured that it will “continue to work to evaluate additional ways to enhance the security of payment card data” and will “support law enforcement’s investigation.”
“We regret this incident occurred and sincerely apologize for any inconvenience,” the U.S. store chain expressed. “Our family has been in business for over 273 years in central Pennsylvania, and we sincerely appreciate all of our loyal customers through the decades. Our award-winning team is ready to serve our valued customers as we move forward from this incident.”