HARRISBURG, Pa. (WTAJ) — Pennsylvania Attorney General Michelle Henry announced a settlement on Wednesday with Rutter’s regarding cybersecurity attacks. The attacks left more than a million customers’ payment cards exposed.
These attacks happened over a nine-month period in 2018 and 2019 and involved 79 locations and more than 1.3 million payment cards. According to the press release, card information was accessed electronically, not at any physical store.
Through an investigation, the Office of the Attorney General (OAG) determined Rutter’s failed to properly employ reasonable data-security measures in protecting customers’ personal information. The OAG said this is in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.
As part of the settlement, Rutter’s agreed to pay $1 million and improve security measures through an independent assessment.
“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Attorney General Henry said. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.”
Additionally, the settlement requires Rutter’s to conduct and document a risk assessment, undergo an independent settlement compliance assessment, and implement security improvements, including:
- Information Security Program: Rutter’s must maintain a comprehensive information security program that is appropriately designed to protect the security, confidentiality, and integrity of personal information that it collects, receives, or processes.
- Password Management: Rutter’s must implement appropriate password management.
- Logging and Monitoring: Rutter’s must implement and maintain logging and log monitoring policies and procedures.
- Update Software: Rutter’s must maintain, keep updated, and support the software on its network.
- Disable service accounts: Rutter’s must disable service accounts that are no longer used for any legitimate business purpose.
Incident Response: Rutter’s must detect and respond to suspicious network activity within its network within reasonable means.
Rutter’s first became aware of the unauthorized activity on May 28, 2019, but determined that customers’ payment card information was not stolen. In December 2019, Rutters learned of a pattern of unauthorized charges at 30 Rutter’s locations.
This resulted in Mastercard requesting Rutter’s to conduct an investigation. It is unknown how many customers were impacted.