Rutter’s Holdings faces a proposed class action lawsuit over a data breach that hit an unknown number of the convenience store and gas station operator’s 72 locations across Pennsylvania, West Virginia and Maryland between 2018 and 2019.
Filed in Pennsylvania district court, the lawsuit states that consumers learned in early September 2018 that their private information had been stolen from Rutter’s database by hackers due to the company’s apparent “security failures.” Nearly two months following Rutter’s first disclosure of the incident, however, the company announced that it had discovered through an internal investigation that the data breach was far worse than initially believed.
According to a February 13, 2020 post on its website titled “Notice of Credit Card Incident,” Rutter’s had been made aware of a malware intrusion on its payment processing servers that compromised customers’ payment card data. The company informed consumers that an “unauthorized actor” may have accessed payment card data from cards used on point-of-sale devices at some fuel pumps and inside some convenience stores via malware. Rutter’s added that it believed the general timeframe in which customers’ payment card data was compromised was between October 1, 2018 and May 29, 2019, with one location believed to have been affected as early as August 30, 2018 and nine others possibly hacked the following month.
The case stresses, however, that neither Rutter’s statement on the data breach nor any other comments by the company offered any indication as to the actual magnitude of the incident, including the true number of stores impacted or customers and cards affected. Further, the complaint adds that although Rutter’s has said it notified law enforcement and engaged with cybersecurity firms in investigating the incident, it’s still unclear “what such efforts involve,” given the company has not divulged what was shared with authorities.
Rutter’s security failures, the lawsuit claims, have exposed consumers’ personal and financial information and interests to “serious, immediate, and ongoing risk.” According to the suit, customer information taken in the breach included names, billing addresses, email address and credit card information.
“The Security Breach was caused and enabled by Rutter’s knowing violation of its obligations to abide by best practices and industry standards concerning the security of its users’ Private Information,” the complaint reads.
The plaintiff claims that he discovered in Fall 2019 that his checking account had been improperly accessed and emptied as a result of the security incident. The man claims to have spent significant time addressing the damage from the data breach, including missing work time to file a police report and going without access to his bank account for roughly one week while he awaited a new debit card.
The lawsuit looks to cover a class of consumers in the U.S. who paid for items via credit card at Rutter’s between August 30, 2018 and May 29, 2019, with an additional proposed subclass looking to cover Pennsylvania residents.