Their press release:
KANSAS CITY, Mo., Aug. 30, 2019 — Russell Stover Chocolates, LLC (Russell Stover) recently became aware of a data security incident potentially affecting certain data from payment cards used for purchases at Russell Stover retail stores during a limited timeframe. It is important to note that, at this time, there is no evidence that this incident impacted purchases made on Russell Stover’s website. Russell Stover is approaching this incident with the utmost importance and providing potentially impacted individuals with information on steps they can take to protect themselves.
Russell Stover determined that an unauthorized actor had possibly gained access to its point-of-sale (POS) systems through malware at Russell Stover’s retail stores. Upon learning of the incident, Russell Stover immediately initiated an investigation, engaged leading, independent cybersecurity experts, and took measures to eradicate and contain the malware. Russell Stover has also notified the appropriate law enforcement and regulatory authorities and is working closely with the payment card companies regarding this matter.
Based on its investigation to date, Russell Stover believes that, by means of the malware, the unauthorized actor may have been able to acquire certain data from payment cards used in Russell Stover retail stores during timeframes beginning no earlier than February 9, 2019 and no later than August 7, 2019.
While Russell Stover’s investigation is ongoing, the company believes that certain payment card data, including some consumers’ first and last names, payment card numbers and expiration dates could have been acquired. At this time, Russell Stover has no evidence that any information has been inappropriately used.
Russell Stover deeply regrets that this incident occurred and for any inconvenience or concern it causes its consumers. The security and privacy of consumers’ payment card data is a top priority, and Russell Stover is working to further strengthen its security measures, including through enhanced employee training and improved technical measures.
As a best practice, it is always advisable for individuals to remain vigilant and monitor their payment card statements for suspicious charges or activity they do not recognize. If a consumer suspects an unauthorized charge, they should immediately notify the bank or financial institution that issued the payment card. Payment card network rules generally state that payment cardholders are not responsible for fraudulent charges that are timely reported. Accordingly, Russell Stover consumers, like any payment cardholder, should promptly report unauthorized charges to the bank or financial institution that issued their payment card.
More information about the incident and steps that consumers can take to help protect themselves is available at www.russellstover.com/securityincident. Russell Stover has also set up a dedicated call center for consumers at 855-896-4449 available from 6 a.m. to 8 p.m. (Pacific) Monday through Friday and 8 a.m. to 5 p.m. (Pacific) on Saturday and Sunday (exclusive of holidays). When calling in, callers should use the reference number DB14273.