Rutter’s has become the latest US convenience store chain to suffer a breach of customer card data via Point of Sale (POS) malware.
Notified by a third party about potential unauthorized access to cards used at the firm’s locations, it launched an investigation and on January 14 discovered the malware installed on payment processing systems.
“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the payment processing systems,” the firm explained in a statement.
“However, chip-enabled (EMV) POS terminals are used inside our convenience stores. EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused. As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date (and not the cardholder name or internal verification code) were involved.”
This means that users with old magstripe cards may have had their cards cloned for use in face-to-face fraud. On the EMV side, most e-commerce providers ask for a CV2 number and the name of the cardholder, so these customers would seem to be more insulated from follow-on fraud.
However, the number of cards affected in this breach could be huge. Over 70 outlets in Pennsylvania and West Virginia were affected and the malware is said to have been active October 1 2018 to May 29 2019. However, access to card data began as early as August 30 2018 for one outlet and September 20 2018 for nine more.
The news comes just weeks after convenience store chain Wawa notified customers of a similar breach. One dark web marketplace claimed last month that as many as 31 million cards may have been stolen in the raid, and are being uploaded to the site by the hackers.