AG Henry Announces $1 Million Settlement with Rutter’s After Data Breach Exposed Pennsylvanians’ Private Info

October 11, 2023 | Topic: Consumers

HARRISBURG — Attorney General Michelle Henry announced a settlement with York-based convenience store chain, Rutter’s, regarding cybersecurity attacks that exposed information from more than a million customer payment cards.

The attacks happened over a nine-month span in 2018 and 2019, involving 79 store locations, and more than 1.3 million payment cards. The payment card information was accessed electronically, not at any physical store locations.

The Office of Attorney General investigation determined Rutter’s failed to properly employ reasonable data security measures in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law

As part of the settlement, Rutter’s agreed to pay $1 million and improve security measures via an independent assessment.

“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Attorney General Henry said. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.”

Rutter’s is headquartered in York and has 80 store locations in Pennsylvania.

On May 28, 2019, Rutter’s first became aware of unauthorized activity on its network, but concluded that customers’ payment card information was not stolen. In December 2019, Rutter’s learned about a pattern of unauthorized charges associated with thirty Rutter’s store locations. As a result, Mastercard required Rutter’s to conduct an investigation. The independent investigator found that the threat actors were previously successful in removing information attached to at least 1.3 million different payment cards in Rutter’s network.

The exact number of impacted consumers is unknown, as is the number of fraudulent transactions resulting from the stolen card information.

Along with the $1 million payment, the settlement requires Rutter’s to conduct and document a risk assessment, undergo an independent settlement compliance assessment, and implement security improvements, including:

  • Information Security Program: Rutter’s must maintain a comprehensive information security program that is appropriately designed to protect the security, confidentiality, and integrity of personal information that it collects, receives, or processes.
  • Password Management: Rutter’s must implement appropriate password management.
  • Logging and Monitoring: Rutter’s must implement and maintain logging and log monitoring policies and procedures.
  • Update Software: Rutter’s must maintain, keep updated, and support the software on its network.
  • Disable service accounts: Rutter’s must disable service accounts that are no longer used for any legitimate business purpose.
  • Incident Response: Rutter’s must detect and respond to suspicious network activity within its network within reasonable means.

The investigation was led by Senior Deputy Attorney General Tim Murphy and Senior Deputy Attorney General Debra Warring.

# # #