A Pennsylvania man claims in a proposed class action that Rutter’s Inc. failed to adequately prevent and respond to a data breach that exposed customers’ payment card information to unauthorized third parties.
The lawsuit explains that Rutter’s, which operates gas stations and convenience stores across Pennsylvania, West Virginia and Maryland, announced on February 13, 2020 that “an unauthorized actor” had gained access to customers’ payment card data by installing malware on some point-of-sale devices. According to a post on Rutter’s website, customers’ names, credit and debit card numbers, card expiration dates and security codes may have been accessed between as early as August 30, 2018 and May 29, 2019.
The lawsuit argues that Rutter’s was on notice as to the risk of data breaches due to a “Security Alert”issued to gas station operatorsby Visa in November 2019. Despite the warning, Rutter’s failed to detect the breach for 18 months after customers’ private information was first accessed and waited another month before informing affected individuals, the case alleges.
The suit decries Rutter’s response to the breach as “wholly insufficient,” relaying that the defendant failed to provide any remedies, including credit monitoring and fraud insurance, for customers’ injuries even though similar solutions have been made available to victims of other recent data breaches. To date, Rutter’s has taken “no affirmative steps” beyond notifying customers of the breach to protect them from the “indefinite undeniable risk of fraud and identity theft,” the lawsuit says.
With regard to the plaintiff, the suit says the man discovered in February 2020 that his credit card had been used to make a fraudulent purchase from United Airlines in the amount of $2,477. The man says he has spent at least five hours mitigating the harm caused by the data breach and will likely spend additional time dealing with the “burdensome and time-consuming process” of monitoring his accounts.
The lawsuit seeks to cover anyone in the U.S. whose credit or debit card numbers were compromised in the Rutter’s breach, with a proposed class of Pennsylvania residents.