The American Payroll Association (APA) disclosed it was a victim of a data breach on July 13, 2020, which affected its employees and customers’ information. The hackers injected a web skimmer on the company’s website login and checkout pages. In a security alert, APA stated that the threat actors extracted personal data by exploiting a vulnerability in the association’s content management system (CMS).
Information Accessed in the Data Breach
The attackers gained access to users’ login information like usernames, passwords, payment card information like credit card numbers, and personal information like names, dates of birth, email address, job titles and roles; primary job function, addresses, employee industry, and type of payroll software used. In addition, they also obtained profile photos and social media username data associated with some accounts.
APA notified the users affected in the incident and offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.
“Since discovering the cyberattack, APA has installed the latest security patches from our content management system to prevent any further exploitation of their website. APA technicians also reviewed all code changes made to the APA website since January; installed additional antivirus software on our servers; and increased the frequency of security patch implementation,” the Association said.
Magecart Attack, Again?
The attack that APA suffered is known as the Magecart attack (also called web skimming or e-skimming attacks) in which attackers inject malicious JavaScript code on e-commerce websites after exploiting a CMS vulnerability. Multiple security incidents have been reported on Magecart hackers earlier. Recently, researchers from threat intelligence firm RiskIQ uncovered a new Magecart campaign dubbed as “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data. The researchers discovered a software skimmer “MakeFrame,” which injects HTML iframes into the targeted websites to obtain payment information.