Skip to content ↓ | Skip to navigation ↓

Convenience store and gas station chain Rutter’s disclosed a security incident that might have affected customers’ payment card data.

According to a notice posted on its website, Rutter’s launched an investigation after receiving a report from a third-party of someone having gained unauthorized access to its customers’ payment cards data.

This effort revealed that an unknown party might have gained access to the data by using malware to infect the payment processing systems at some of the chain’s convenience store and gas station locations.

Transactions involving car washes, ATMs and lottery machines at its locations were not involved, as explained in the notice.

Rutter’s investigation revealed that the malware infection began at most of its locations on October 1, 2018 and endured until May 29, 2019. The company did note that attackers might have begun compromising customers’ payment card detail several months earlier at a few of its locations, however.

A list of locations affected by the incident along with specific timeframes for each location is available here.

In response to the incident, Rutter’s indicated that it’ll be contacting affected customers for whom it has a mailing address or email contact information. While it reaches out to these individuals individually, the company also issued a general apology within its notice:

We regret this incident occurred and sincerely apologize for any inconvenience. Our family has been in business for over 273 years in central Pennsylvania, and we sincerely appreciate all of our loyal customers through the decades. Our award-winning team is ready to serve our valued customers as we move forward from this incident.

Customers who fear the malware incident at Rutter’s compromised their payment card information should review their payment card statements. If they detect anything unusual, they should notify their card issuer as soon as possible.

News of this incident follows approximately one month after digital criminals posted customers’ payment card details exposed in the 2019 Wawa data breach for sale on a dark web marketplace.