Rutter’s to pay $1M in cybersecurity breach settlement

Listen to this article

York-based Rutter’s has agreed to pay $1 million and improve security measures in a cybersecurity breach settlement with the state Attorney General’s office. 

Attorney General Michelle Henry said in a statement Wednesday the settlement comes from cybersecurity attacks that exposed information from more than a million customer payment cards. 

According to Henry’s office, the attacks happened over a nine-month span in 2018 and 2019, involving 79 store locations, and more than 1.3 million payment cards. The payment card information was accessed electronically, not at any physical store locations. 

The Office of Attorney General investigation determined Rutter’s failed to properly employ reasonable data security measures in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law 

“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Henry said. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.” 

Rutter’s has 80 store locations in Pennsylvania. 

According to the Attorney General’s office, on May 28, 2019, Rutter’s first became aware of unauthorized activity on its network but concluded that customers’ payment card information was not stolen.  

In December 2019, Rutter’s learned about a pattern of unauthorized charges associated with 30 Rutter’s store locations. As a result, Mastercard required Rutter’s to conduct an investigation, Henry’s office said.  

An independent investigator found that the threat actors were previously successful in removing information attached to at least 1.3 million different payment cards in Rutter’s network. The independent investigator told the Attorney General’s office that the exact number of impacted consumers is unknown, as is the number of fraudulent transactions resulting from the stolen card information. 

Along with the $1 million payment, the settlement requires Rutter’s to conduct and document a risk assessment, undergo an independent settlement compliance assessment, and implement security improvements. 

 The investigation was led by Senior Deputy Attorney General Tim Murphy and Senior Deputy Attorney General Debra Warring.