YORK, Pa.—Rutter’s said Thursday it is notifying customers that an unauthorized entity may have accessed data from payment cards used on point-of-sale (POS) devices at some fuel pumps and inside some of its convenience stores through malware installed on the payment processing systems.
“The malware has been removed, and Rutter's has implemented enhanced security measures,” the company said in a news release. “Rutter's also continues to work to evaluate additional ways to enhance the security of payment card data.” Rutter’s said it has engaged cybersecurity firms to help it investigate the breach and has notified law enforcement.
For most locations, the malware was present between October 1, 2018 through May 29, 2019. However, Rutter’s said access to card data may have started on August 30, 2018, at one location, and at nine additional locations, access to card data may have started as early as September 20, 2018. A list of the locations involved and specific timeframes is available at www.rutters.com/paymentcardincident.
Rutter’s noted that “this incident is not the result of a handheld ‘skimmer’ being placed on a Rutter's fuel pump.”
Payment card transactions at Rutter's car washes, ATMs, and lottery machines in Rutter's stores were not involved.
“We regret this incident occurred and sincerely apologize for any inconvenience,” Rutter’s said in a statement. “Our family has been in business for over 273 years in central Pennsylvania, and we sincerely appreciate all of our loyal customers through the decades. Our award-winning team is ready to serve our valued customers, as we move forward from this incident.”
In December, Media, Pa.-based Wawa announced that it had discovered malware on in-store payment terminals and fuel dispensers and had contained the threat.