U.S. Store Chain Rutter’s Hit by Credit Card Stealing Malware

Rutter's, a U.S. convenience store, fast food restaurant, and gas station chain owner, has disclosed today that 71 locations were infected with a point-of-sale (POS) malware that was used by attackers to steal customers' credit card information.

Headquartered in Central Pennsylvania, Rutter’s is a family-owned group of companies with a history dating back to 1747 that operates more than 75 locations throughout Pennsylvania, Maryland, and West Virginia.

Rutter’s disclosed in a Notice of Payment Card Incident published today that it found evidence indicating that some payment card data from cards used on point-of-sale (POS) devices from convenience stores and fuel pumps were accessed by an unauthorized actor using malware installed on the payment processing systems.

While the timeframes of the incident vary for each location, "the general timeframe beginning October 1, 2018 through May 29, 2019."

"There is one location where access to card data may have started August 30, 2018 and nine additional locations where access to card data may have started as early as September 20, 2018," Rutter's said.

Rutter’s recently received a report from a third party suggesting there may have been unauthorized access to data from payment cards that were used at some Rutter’s locations. We launched an investigation, and cybersecurity firms were engaged to assist. We also notified law enforcement.

The attacker used the POS malware to copy card numbers, expiration dates, and internal verification codes from credit cards routed through the compromised payment processing devices (in some cases, cardholder names were also collected).

"However, chip-enabled (EMV) POS terminals are used inside our convenience stores," the notice explains. "EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused."

"As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date (and not the cardholder name or internal verification code) were involved."

Rutter's added that the malware used in the attack didn't copy payment data from all of the cards used at the affected locations and there is no indication that additional customer info was copied by the attacker.

"Payment card transactions at Rutter’s car washes, ATM’s, and lottery machines in Rutter’s stores were not involved," the notice reads.

It is always advisable to review your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card.

Rutter's reminded potentially impacted customers that they can also put a 'security freeze' on their credit file for free to prevent any credit, loans, or other services from being approved in their name without their approval.

In case their info has been misused, Rutter's customers should also file a complaint with the Federal Trade Commission and a police report in case of fraud or identity theft.

Rutter's also set up a dedicated call center at 888-271-9728, available Monday through Friday, from 9:00 am to 9:00 pm for additional questions.

VISA warned in December 2019 that the POS systems of North American fuel dispenser merchants are under an elevated and ongoing threat of being targeted by attacks coordinated by cybercrime groups.

U.S. restaurant and fast-food chains McAlister's Deli, Moe’s Southwest Grill, Schlotzsky’s, Hy-Vee, Krystal, and Landry's also disclosed payment card theft incidents caused by POS malware one after the other starting with October 2019.

A list of all affected Rutter's locations including map locations, addresses, and specific timeframes is available in the table embedded below.