The “Rutter’s” convenience store and gas stations chain in the U.S. has announced that their POS (point of sale) payment systems have been infected by malware. According to the notice that has been published, the POS malware ran on the shops between October 1, 2018, and May 29, 2019, exfiltrating payment card data from unsuspecting customers. Depending on the location (Rutter’s operates 72 stores), the timeframe may be different, so customers are advised to check the specific store.
The chain only got to learn about what happened when VISA tipped them of the problem, possibly after someone discovered the associated dark web offering. Since the infection period extends for a whopping 240 days, and considering that it stopped almost a year ago, it is very likely that the stolen card data is already in the hands of many. Rutter’s initiated an investigation in December 2019 and concluded it on January 14, 2020. According to the results of this investigation, the malware that infected their POS systems was collecting “track data”, which usually include cardholder names, card numbers, expiration dates, and the internal verification code. That’s everything one would need in order to create a valid clone card or to make internet purchases.
The company clarifies that EMV POS devices that are used inside the convenience stores may have only leaked the card number and the expiration code, so the bigger problem is with those who made transactions outside, on some of the fuel pumps. If you are one of these customers and you have bought something from Rutter’s during the aforementioned timeframe, you are advised to call 888-271-9728 and you will receive instructions on how to protect your identity and keep safe from fraudulent transactions.
Rutter’s assures their clients that their POS systems are now clean, and they have implemented enhanced security upgrades to prevent this from happening again in the future. If you have used your card on Rutter’s car washes, ATM’s, or lottery machines, this incident isn’t impacting you. Those of you who paid on a POS though, you should place your account on “security freeze” for a while, until the authorities manage to figure out who’s behind this. If you can’t afford to do this, monitor the activity closely and report any transactions that you don’t recognize to the Federal Trade Commission and/or the Attorney General’s office in your state.