Inconvenience fee: Rutter’s will pay PA $1 million, bolster security measures after data breach

In a development that will likely add to Pennsylvania’s convenience store discourse, Pennsylvania Attorney General Michelle Henry announced that her office has reached a $1 million settlement with Rutter’s, the York-based convenience store and truck stop chain, over a data breach that exposed information from customer payment cards. 

The data breach, which occurred over a nine-month stretch in 2018 and 2019, exposed information from more than 1.3 million customer payment cards and involved 79 Rutter’s locations across the commonwealth, according to the AG’s office. 

Henry said the settlement ensures that Rutter’s will work to minimize the risk of data breaches moving forward – as the settlement requires Rutter’s to take steps to enhance its information security protocols. 

“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Henry said Wednesday in a statement. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.”

Henry’s office said the number of individuals impacted by the breach is not known, but that the attacks affected all but one of the company’s 80 locations in Pennsylvania. 

According to the settlement, Rutter’s first noticed unauthorized access on its network in May 2019, and the company’s payment processor Fiserv notified the company in December 2019 that Mastercard had identified a pattern of unauthorized charges at 30 Rutter’s locations.

Mastercard then had Rutter’s work with a payment card information forensic investigator, which determined that the actors behind the threat were able to exfiltrate, or remove, the personal information of Rutter’s customers. 

Rutter’s released a statement in February 2020 revealing details about the data breach and who was impacted, while clarifying that the breach did not involve handheld “skimmers” that can be placed on fuel pumps. 

“We regret this incident occurred and sincerely apologize for any inconvenience. Our family has been in business for over 273 years in central Pennsylvania, and we sincerely appreciate all of our loyal customers through the decades. Our award-winning team is ready to serve our valued customers as we move forward from this incident,” the company said in a statement at the time, according to WGAL.

Per the settlement, a state investigation of the data breach found that there were “shortcomings” in Rutter’s data security practices, including a lack of compliance with Payment Card Industry Data Security Standards and the use of weak passwords for legacy service accounts. 

As part of the settlement, Rutter’s will pay the state $1 million and will also be required to develop and maintain an information security program to protect sensitive data. The plan must include “documented methods and criteria for managing information security risks,” and the company will also be required to conduct comprehensive risk assessments at least once per year. 

The full settlement can be viewed below.