HARRISBURG — Attorney General Michelle Henry has revealed a settlement with the Pennsylvania-based convenience store chain, Rutter’s, following a series of cybersecurity attacks that compromised data from over a million customer payment cards.
The data breach occurred between 2018 and 2019, targeting 79 Rutter’s store locations and affecting over 1.3 million payment cards. The infiltration was carried out electronically and didn’t involve any physical store breaches.
The investigation by the Office of Attorney General concluded that Rutter’s neglected to implement adequate data security measures, thereby putting consumers’ confidential information at risk, violating Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.
Under the settlement terms, Rutter’s has agreed to a $1 million payout and has pledged to enhance its security protocols, which will be assessed by an independent party.
Attorney General Henry remarked, “This significant breach could have had devastating repercussions for numerous consumers whose private data was made vulnerable due to inadequate protective measures. This settlement not only mandates a substantial financial penalty but also ensures a reduction in future risk.”
Rutter’s, which has its headquarters in York and runs 80 stores across Pennsylvania, initially detected suspicious network activity on May 28, 2019. Initially, the company believed that customer payment card details were safe. However, by December 2019, patterns of unauthorized charges linked to 30 Rutter’s stores were identified. Subsequent investigations, compelled by Mastercard, revealed that cybercriminals had successfully extracted details from approximately 1.3 million payment cards within Rutter’s system.
The precise number of consumers affected remains uncertain, as does the tally of fraudulent transactions resulting from the data breach.
As part of the agreement, Rutter’s will be obligated to:
- Conduct a risk assessment and undergo an independent compliance assessment.
- Maintain a thorough information security program.
- Implement efficient password management procedures.
- Enforce logging and log monitoring policies.
- Regularly update and support its network software.
- Deactivate service accounts no longer needed for business functions.
- Promptly detect and address suspicious network activities.
The investigation’s leadership was credited to Senior Deputy Attorney General Tim Murphy and Senior Deputy Attorney General Debra Warring.