[BreachExchange] Online shops plundered by bank card-stealing malware after bungling backend Aptos hacked

Wed Mar 1 20:19:31 EST 2017

https://www.theregister.co.uk/2017/03/01/aptos_craptos_security/

Shoppers of 40 online stores have had their bank card numbers and addresses
slurped by a malware infection at backend provider Aptos.

The security breach occurred late last year when a crook was able to inject
spyware into machines Aptos used to host its retail services for online
shops. This software nasty was able to access customer payment card numbers
and expiration dates, full names, addresses, phone numbers and email
addresses, we're told.

Rather than being alerted to the infiltration by Aptos itself, instead we
were warned this week by Aptos' customers – the retailers whose websites
were infected by the malware on the backend provider's servers.

According to these stores, which have had to file computer security breach
notifications with state authorities, the malware was active on Aptos
systems from February through December of 2016.

A spokesperson for Aptos – based in Atlanta, Georgia – told The Register
the biz had been working with the FBI and US Department of Justice to
investigate the ransacking, and was required to keep quiet about the
infection for two months before notifying its customers.

"As the 60-day period expired on Sunday, February 5, we contacted impacted
retailers starting on Monday, February 6 to provide a synopsis of the
situation," Aptos said.

"We are working closely with the specific digital commerce customers who
were impacted by this incident to ensure affected consumers are notified in
a transparent, accurate and timely manner in accordance with US-based state
disclosure laws for data security incidents."

Among the affected companies is Liberty Hardware, which told the state of
Montana that it was notified of the breach on February 7.

"Aptos has informed us that they discovered the intrusion in November
2016," Liberty Hardware said. "We understand that Aptos then contacted
Federal law enforcement agencies and the US Department of Justice, and law
enforcement requested that notification to businesses (including Liberty
Hardware) be delayed to allow the investigation to move forward."

Some of the customers, such as sweets site Affy Tapple, are footing the
bill for a year's credit monitoring for customers exposed by the breach.
"Aptos has advised us that the unauthorized person(s) potentially had
access to the payment card transaction records of 19 of Affy Tapple's
customers with billing addresses in Washington," the site says.

Other businesses will likely be following with their own disclosures. Aptos
said it is letting the companies affected handle the notifications on their
own and will not name them individually. So if you shopped online around
November last year, and you get a note from one of the 40 affected websites
confessing your payment card details were stolen, you know who to blame.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170301/fb824147/attachment.html>