(WHTM) — Pennsylvania Attorney General Michelle Henry has announced a settlement with Rutters, a York-based convenience store chain with 80 locations in Pennsylvania. The settlement comes after cybersecurity attacks exposed the information of more than a million customer payment cards.

“This massive breach of data could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards in place at the time,” Attorney General Henry said. “This settlement involves significant financial payment, but also assurance that future risk will be minimized.”

According to the Attorney General’s office, the attacks took place over the course of nine months between 2018 and 2019. These attacks involved 79 store locations and more than 1.3 million payment cards.

The Attorney General’s investigation revealed that Rutter’s “failed to properly employ reasonable data security measures in protecting consumers’ sensitive personal information in violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law,” according to the office.

According to the Attorney General’s office, Rutter’s first became aware of unauthorized activity on its network on on May 28, 2019. The company concluded however that customers’ payment card information was not stolen.

In December 2019, Rutter’s learned about a pattern of unauthorized charges that was associated with 30 store locations.

The company was then required by Mastercard to conduct an investigation which revealed that the actors had been successful in removing information attached to at least 1.3 million different payment cards in the network.

The exact number of impacted consumers is not known.

As part of the settlement, Rutters has agreed to pay $1 million, improve safety measures, conduct and document a risk assessment, and undergo an independent settlement compliance assessment.

The company will be required to implement the following security measures, according to the Attorney General’s office.

  • Information Security Program: Rutter’s must maintain a comprehensive information security program that is appropriately designed to protect the security, confidentiality, and integrity of personal information that it collects, receives, or processes.
  • Password Management: Rutter’s must implement appropriate password management.
  • Logging and Monitoring: Rutter’s must implement and maintain logging and log monitoring policies and procedures.
  • Update Software: Rutter’s must maintain, keep updated, and support the software on its network.
  • Disable service accounts: Rutter’s must disable service accounts that are no longer used for any legitimate business purpose.
  • Incident Response: Rutter’s must detect and respond to suspicious network activity within its network within reasonable means.