[BreachExchange] American Payroll Association discloses credit card theft incident

Wed Sep 2 10:35:04 EDT 2020

https://www.bleepingcomputer.com/news/security/american-payroll-association-discloses-credit-card-theft-incident/

The American Payroll Association (APA) disclosed a data breach
affecting members and customers after attackers successfully planted a
web skimmer on the organization's website login and online store
checkout pages.

APA is a nonprofit professional association with more than 20,000
members and 121 APA-affiliated local chapters that organizes training
seminars and conferences, attended every year by over 36,000
professionals.

The organization also issues industry-recognized certifications and
provides professionals with a library of resource texts.

Login and financial information stolen

APA discovered around July 23, 2020, that its website and online store
were breached by unknown threat actors who deployed a skimmer designed
to collect and exfiltrate sensitive information to attacker-controlled
servers.

The attackers used a security vulnerability in the organization's
content management system (CMS) to hack into APA's site and online
store according to a data breach notification sent to affected
individuals by Robert Wagner, APA's Senior Director of Govt. and
Public Relations, Certification, and IT.

Once they gained access to the organization's site and store, they
deployed the skimmer on both the login page of the website and on the
checkout section of APA's e-commerce store.

According to APA's security team, the malicious activity was traced
back to May 13, 2020, at roughly 7:30 pm CT.

"The unauthorized individuals gained access to login information (i.e.
username and password) and individual payment card information (i.e.
credit card information and associated data)," APA said.

By way of account access, the electronic fields that may have been
accessed include: First and Last Names; Email Address; Job Title and
Job Role; Primary Job Function and to whom you “Report”; Gender; Date
of Birth; Address (either business of personal), including country,
province or state, city, and postal code; Company name and size;
Employee Industry; Payroll Software used at Workplace; Time and
Attendance software used at work.

Furthermore, in some cases, the attackers were also able to gain
access to social media usernames and profile photos of the impacted
APA members and customers.

Magecart attack behind the disclosed data breach

This type of attack is known as a web skimming attack (also known as
Magecart or e-skimming) and it is usually the result of threat actors
deploying card skimmer scripts on e-commerce websites using either a
CMS vulnerability or a compromised admin account.

After discovering the attack, APA immediately installed the latest
security updates for their site's and store's CMS to block future
exploitation attempts.

APA's security team also increased the frequency of security patches
and deployed anti-malware solutions on the affected servers after
reviewing all the code changes made to the two sites since the start
of 2020.

APA has also reset passwords for all affected users, and it's offering
$1,000,000 in identity theft insurance and one year of free credit
monitoring through Equifax.