CHR Corp. a company that owns the Rutter’s chain of convenience stores in Pennsylvania, West Virginia and Maryland, is the latest victim of a point-of-sale hacking as customer payment card details were stolen from some locations.

The hack, revealed Feb. 13, involved malware installed on payment processing systems. The malware is said to have searched for data including cardholder name, number, expiration data and internal verification as it was routed to payment processing systems.

The data stolen primarily involved customers who swiped their cards, although the company noted that because some of its outlets offer EMV-capable POS devices, customers who used this method had only their card number and expiration date stolen.

The data is primarily said to have been stolen from Oct. 1, 2018, through last May 19, although in some locations data theft may have started as early as Aug. 30, 2018. Rutter’s said it was made aware of the hack only after a report from an unnamed third party and that a monthlong investigation into the breach concluded Jan. 14.

Whom that third party was is open to speculation, but Visa Inc. issued a warning Dec. 15 that gas stations and gas pumps in the U.S. are being targeted by point-of-sale malware designed to steal credit card credentials. That’s unlikely to be a coincidence.

“This attack is similar to the event we saw with Wawa previously,” Erich Kron, security awareness advocate at security training company KnowBe4 Inc., told SiliconANGLE. “While the small-time criminals are hitting the gas pumps with credit card skimmers, the more sophisticated criminals are going after the serious money by installing malware on the devices as we see here.”

Kron added that it’s concerning that the malware was in place for almost nine months and was only discovered by being reported by a third party. “When handling large amounts of customer data, it is imperative that organizations monitor and test systems to ensure the safety of the data being handled,” he said.

Ruston Miles, chief strategy officer at payment processing firm Bluefin Payments Systems LLC, noted that with the EMV liability shift for gas pumps going into effect Oct. 1, “many merchants have delayed upgrading their convenience store to EMV or encryption because they are waiting for this deadline — putting gas stations and convenience stores behind the rest of the market in terms of security.”

With the EMV liability shift, all merchants that have not switched to EMV payments after Oct. 1 will be liable for all fraudulent transactions. Currently, banks and financial service providers are liable for fraudulent transactions.

“Hackers understand that gas stations will be upgrading their pumps to newer security technology ahead of this deadline, so they want to get in and obtain card data before that upgrade,” Miles said. “If the card data is not encrypted at the data level in firmware, then the hackers can now get access to these systems after the upgrade. So gas stations and convenience stores that have already upgraded to accept chip cards (EMV), but have not added encryption, are now more exposed than ever.”

Photo: Kristen Stanley/Wikimedia Commons