Rutter's, a chain of convenience stores and gas stations with 72 locations in central Pennsylvania, West Virginia, and Maryland, has reported details of a data breach that exposed customers’ payment card information.

The breach is disturbingly similar to one that victimized Wawa, another convenience store chain. That breach was announced in December and affected nearly 30 million consumers.

“On January 14, 2020, the investigation identified evidence indicating that an unauthorized actor may have accessed payment card data from cards used on point-of-sale (POS) devices at some fuel pumps and inside some of our convenience stores through malware installed on the payment processing systems,” Rutter’s said in a statement. 

Similar methods

In the Wawa incident, a team of security investigators found malware on the company’s payment processing servers on December 10 and contained it two days later. The malware was able to capture payment card data from cards used in gas pump card readers as well as in point of sale terminals inside the stores.

The Rutter’s announcement suggests that the hackers were using the same or very similar method. Investigators say the malware found on Rutter’s servers searched for tracking data and read from a payment card as it was being routed through the payment processing systems. But not all cards used at the stores may have been compromised.

“Chip-enabled (EMV) POS terminals are used inside our convenience stores.  EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused,” the company said. “As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date were involved.”

It also appears that the malware did not copy data from all of the payment cards used during the time it was on the company’s network. What’s clear, the company said, is that this hack was a sophisticated operation and not the result of a handheld "skimmer" being placed on a Rutter's fuel pump. 

New way to steal data

Visa warned in December that this type of hack was becoming more common. Over the summer, Visa said it found that “threat actors” had stepped up their game when it comes to stealing consumers’ payment card information. 

The scammers target merchant employees through the use of phishing emails. If someone clicks on an email link, they download malware that infects the entire network. Once inside the company’s system, it has no need to use risky and “low-tech” gas pump skimmers to steal payment card information.

As for the Rutter’s hack, the company says the specific timeframes when data from cards used at the locations involved may have been accessed vary by location. But the malware could have been capturing data at some locations from October 1, 2018 through May 29, 2019.

Consumers who used a payment card to make purchases at Rutter’s between those dates should carefully monitor statements and inform their bank or credit card issuer. Those companies may or may not choose to issue new cards.