Rutter's to pay $1 million in settlement after major data breach

Rutter’s to Pay $1 Million in Settlement After Major Data Breach

October 11, 2023

HARRISBURG — Attorney General Michelle Henry has revealed a settlement with the Pennsylvania-based convenience store chain, Rutter’s, following a series of cybersecurity attacks that compromised data from over a million customer payment cards.

The data breach occurred between 2018 and 2019, targeting 79 Rutter’s store locations and affecting over 1.3 million payment cards. The infiltration was carried out electronically and didn’t involve any physical store breaches.

The investigation by the Office of Attorney General concluded that Rutter’s neglected to implement adequate data security measures, thereby putting consumers’ confidential information at risk, violating Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.

Under the settlement terms, Rutter’s has agreed to a $1 million payout and has pledged to enhance its security protocols, which will be assessed by an independent party.

Attorney General Henry remarked, “This significant breach could have had devastating repercussions for numerous consumers whose private data was made vulnerable due to inadequate protective measures. This settlement not only mandates a substantial financial penalty but also ensures a reduction in future risk.”

Rutter’s, which has its headquarters in York and runs 80 stores across Pennsylvania, initially detected suspicious network activity on May 28, 2019. Initially, the company believed that customer payment card details were safe. However, by December 2019, patterns of unauthorized charges linked to 30 Rutter’s stores were identified. Subsequent investigations, compelled by Mastercard, revealed that cybercriminals had successfully extracted details from approximately 1.3 million payment cards within Rutter’s system.

The precise number of consumers affected remains uncertain, as does the tally of fraudulent transactions resulting from the data breach.

As part of the agreement, Rutter’s will be obligated to:

  • Conduct a risk assessment and undergo an independent compliance assessment.
  • Maintain a thorough information security program.
  • Implement efficient password management procedures.
  • Enforce logging and log monitoring policies.
  • Regularly update and support its network software.
  • Deactivate service accounts no longer needed for business functions.
  • Promptly detect and address suspicious network activities.

The investigation’s leadership was credited to Senior Deputy Attorney General Tim Murphy and Senior Deputy Attorney General Debra Warring.

Phil Stilton

Phil Stilton is the Editor and Publisher of Shore News Network, an independent digital news organization covering New Jersey, national politics, public policy, public safety, and community affairs. With years of experience reporting on local government, elections, law enforcement, and issues impacting residents throughout New Jersey, Stilton has built a reputation for delivering timely news, in-depth reporting, and accountability journalism.

As the founder of Shore News Network, Stilton oversees editorial operations, investigative reporting, and breaking news coverage while working closely with journalists, public officials, and community leaders. His reporting has covered municipal government, state politics, federal policy, public records investigations, emergency management, and major news events affecting local communities.

Stilton is committed to factual reporting, source verification, transparency, and providing readers with accessible, accurate information that helps them better understand the issues shaping their communities. Through Shore News Network, he continues to focus on delivering trusted news coverage and original reporting to audiences across New Jersey and beyond.

For story tips, corrections, or media inquiries, readers can contact Shore News Network through its official website and social media channels.