The American Payroll Association (APA) has issued a data breach notification after being hit by a skimming attack.
Threat actors installed skimming malware on both the login web page of the APA website and the checkout section of the association's online store by exploiting a vulnerability in the APA’s content management system.
The data security incident was discovered "on or around July 13, 2020." An investigation by the APA's IT team uncovered unusual activity on the APA site dating back to May 13, 2020.
As a result of the attack, unauthorized individuals gained access to login credentials, personal information, including names and dates of birth, and individual payment card information.
A security incident notice sent to customers by the APA in August and signed by the association's senior director of government and public relations, Robert Wagner, states: "The unauthorized individuals gained access to login information (i.e., username and password) and individual payment card information (i.e., credit card information and associated data).
"By way of account access, the electronic fields that may have been accessed include: First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you 'Report'; Gender; Date of Birth; Address (either business or personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work."
Cyber-attackers were also able to access profile photos and social media username information contained in some accounts.
Since the attack, the APA has installed additional antivirus software on its servers, installed "the latest security patches from our content management system," and increased the frequency of patch implementation.
Victims of the data breach have been offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.
"The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets," commented Ameet Naik, security evangelist at PerimeterX.