American Payroll Association Discloses Credit Card Theft Incident

American Payroll Association Discloses Credit Card Theft Incident

Image: Scott Graham

The American Payroll Association (APA) disclosed a data breach affecting members and customers after attackers successfully planted a web skimmer on the organization’s website login and online store checkout pages.

APA is a nonprofit professional association with more than 20,000 members and 121 APA-affiliated local chapters that organizes training seminars and conferences, attended every year by over 36,000 professionals.

The organization also issues industry-recognized certifications and provides professionals with a library of resource texts.

Login and financial information stolen

APA discovered around July 23, 2020, that its website and online store were breached by unknown threat actors who deployed a skimmer designed to collect and exfiltrate sensitive information to attacker-controlled servers.

The attackers used a security vulnerability in the organization’s content management system (CMS) to hack into APA’s site and online store according to a data breach notification sent to affected individuals by Robert Wagner, APA’s Senior Director of Govt. and Public Relations, Certification, and IT.

Once they gained access to the organization’s site and store, they deployed the skimmer on both the login page of the website and on the checkout section of APA’s e-commerce store.

According to APA’s security team, the malicious activity was traced back to May 13, 2020, at roughly 7:30 pm CT.

“The unauthorized individuals gained access to login information (i.e. username and password) and individual payment card information (i.e. credit card information and associated data),” APA said.

By way of account access, the electronic fields that may have been accessed include: First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you “Report”; Gender; Date of Birth; Address (either business of personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work.

Furthermore, in some cases, the attackers were also able to gain access to social media usernames and profile photos of the impacted APA members and customers.

Also read: 5 Best Practices About Information Retention For Businesses

Magecart attack behind the disclosed data breach

This type of attack is known as a web skimming attack (also known as Magecart or e-skimming) and it is usually the result of threat actors deploying card skimmer scripts on e-commerce websites using either a CMS vulnerability or a compromised admin account.

After discovering the attack, APA immediately installed the latest security updates for their site’s and store’s CMS to block future exploitation attempts.

APA’s security team also increased the frequency of security patches and deployed anti-malware solutions on the affected servers after reviewing all the code changes made to the two sites since the start of 2020.

APA has also reset passwords for all affected users, and it’s offering $1,000,000 in identity theft insurance and one year of free credit monitoring through Equifax.

Also read: Invasion Of Privacy Elements And Its Legal Laws To Comply