UPDATED 21:45 EDT / FEBRUARY 16 2020

rutters SECURITY

Card data stolen in point-of-sale hack of Rutter’s stores and gas stations

CHR Corp. a company that owns the Rutter’s chain of convenience stores in Pennsylvania, West Virginia and Maryland, is the latest victim of a point-of-sale hacking as customer payment card details were stolen from some locations.

The hack, revealed Feb. 13, involved malware installed on payment processing systems. The malware is said to have searched for data including cardholder name, number, expiration data and internal verification as it was routed to payment processing systems.

The data stolen primarily involved customers who swiped their cards, although the company noted that because some of its outlets offer EMV-capable POS devices, customers who used this method had only their card number and expiration date stolen.

The data is primarily said to have been stolen from Oct. 1, 2018, through last May 19, although in some locations data theft may have started as early as Aug. 30, 2018. Rutter’s said it was made aware of the hack only after a report from an unnamed third party and that a monthlong investigation into the breach concluded Jan. 14.

Whom that third party was is open to speculation, but Visa Inc. issued a warning Dec. 15 that gas stations and gas pumps in the U.S. are being targeted by point-of-sale malware designed to steal credit card credentials. That’s unlikely to be a coincidence.

“This attack is similar to the event we saw with Wawa previously,” Erich Kron, security awareness advocate at security training company KnowBe4 Inc., told SiliconANGLE. “While the small-time criminals are hitting the gas pumps with credit card skimmers, the more sophisticated criminals are going after the serious money by installing malware on the devices as we see here.”

Kron added that it’s concerning that the malware was in place for almost nine months and was only discovered by being reported by a third party. “When handling large amounts of customer data, it is imperative that organizations monitor and test systems to ensure the safety of the data being handled,” he said.

Ruston Miles, chief strategy officer at payment processing firm Bluefin Payments Systems LLC, noted that with the EMV liability shift for gas pumps going into effect Oct. 1, “many merchants have delayed upgrading their convenience store to EMV or encryption because they are waiting for this deadline — putting gas stations and convenience stores behind the rest of the market in terms of security.”

With the EMV liability shift, all merchants that have not switched to EMV payments after Oct. 1 will be liable for all fraudulent transactions. Currently, banks and financial service providers are liable for fraudulent transactions.

“Hackers understand that gas stations will be upgrading their pumps to newer security technology ahead of this deadline, so they want to get in and obtain card data before that upgrade,” Miles said. “If the card data is not encrypted at the data level in firmware, then the hackers can now get access to these systems after the upgrade. So gas stations and convenience stores that have already upgraded to accept chip cards (EMV), but have not added encryption, are now more exposed than ever.”

Photo: Kristen Stanley/Wikimedia Commons

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.