The American Payroll Association (APA) has issued a data breach notification after being hit by a skimming attack.
Threat actors installed skimming malware on both the login web page of the APA website and the checkout section of the association’s online store by exploiting a vulnerability in the APA’s content management system.
The data security incident was discovered “on or around July 13, 2020.” An investigation by the APA’s IT team uncovered unusual activity on the APA site dating back to May 13, 2020.
As a result of the attack, unauthorized individuals gained access to login credentials, personal information, including names and dates of birth, and individual payment card information.
A security incident notice sent to customers by the APA in August and signed by the association’s senior director of government and public relations, Robert Wagner, states: “The unauthorized individuals gained access to login information (i.e., username and password) and individual payment card information (i.e., credit card information and associated data).
Cyber-attackers were also able to access profile photos and social media username information contained in some accounts.
Since the attack, the APA has installed additional antivirus software on its servers, installed “the latest security patches from our content management system,” and increased the frequency of patch implementation.
Victims of the data breach have been offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.