[BreachExchange] Rutter's store chain discloses security breach involving POS malware

Destry Winant destry at riskbasedsecurity.com
Mon Feb 17 10:10:13 EST 2020


https://www.zdnet.com/article/rutters-store-chain-discloses-security-breach-involving-pos-malware/

US store chain Rutter's disclosed a security breach today. The company
says hackers gained access to its stores' network system and planted
malware that collected payment card details as they were being
processed.

Stores in Pennsylvania and West Virginia were impacted, Rutter's said
today in a press release and a notice posted on its website.

For most locations, the malware was present between October 1, 2018
through May 29, 2019, however, for some stores, the infection timeline
is different. See this page for details about the infection timeline
of Rutter's stores.

Rutter's said the malware collected data from payment cards swiped
through point-of-sale (POS) devices installed inside convenience
stores and some of its fuel pumps.

In most cases, the malware is believed to have collected for the
user's name, card number, expiration date, and internal verification
code. For users who paid with cards at an EMV-capable POS device,
Rutter's said it believes the malware collected only the card number
and expiration date.

The store chain said that payment card transactions at Rutter's car
washes, ATMs, and lottery machines were not impacted.

RUTTER'S LEARNED OF THE BREACH FROM A THIRD-PARTY

Rutter's said it learned about the incident following "a report from a
third party." It didn't say when it learned of the malware infection,
but that the investigation into the incident concluded a month ago, on
January 13, 2020.

Driving Collaboration Throughout the Enterprise

To accommodate the needs of today's workforce, organisations are
taking a more strategic approach to their office real estate.
Successful organisations are quickly realizing that small-group
collaboration allows them to innovate and create in ways that can
deliver a significant competitive advantage.

The store chain said it removed the malware from its payment systems,
reported the incident to law enforcement, and is now notifying
impacted customers.

In December 2019, payments processor VISA published a security alert
about multiple incidents involving POS malware at gas pumps across
North America.

It is unclear if Rutter's was one of the companies mentioned in the
VISA alert. Wawa, another US convenience store that operates gas
pumps, disclosed a POS malware incident. Wawa's data ended up for sale
online, on a dark web carding shop, and is considered one of the
biggest card data dumps to date.

Rutter's operates convenience stores and gas stations across more than
70 locations in Pennsylvania, West Virginia, and Maryland.


More information about the BreachExchange mailing list