American Payroll Association Forgets to Patch Web Portal, Hackers Skim Credit Cards and Passwords Off Site


• American Payroll Association uncovered unusual activity on the site dating back to May 13
• Hackers exploited vulnerability to deploy card-skimming techniques and steal credit card data
• Identity thieves gained access to login information (i.e. username and password) and individual payment card information
• APA notice suggests IT reps forgot to patch the web portal

The American
Payroll Association (APA), a professional association for individuals
responsible for processing company payrolls, is warning clients of a breach discovered
recently that exposed large amounts of financial and personal data.

Identity
thieves use skimming to capture payment and personal information from a credit
card holder. Skimming techniques typically involve physical alterations to an
ATM or POS, but in some cases, it can be done solely through software. Apparently,
that’s what happened at APA when the association’s IT guys uncovered “unusual
activity on the site dating back to May 13, 2020 at approximately 7:30 pm CT.”

“The APA experienced a skimming cyberattack in which personal information was accessed by unauthorized individuals,” the notification reads, according to databreaches.net.

“The source
of the cyberattack is thought to have been a vulnerability in APA’s content
management system, which allowed a ‘skimmer’ to be installed on both the login
webpage of the APA website, as well as the checkout section of the APA’s online
store,” it states.

The
attackers gained access to usernames and passwords as well as a ton of credit
card information and associated data.

The notice
states that, by way of account access, the electronic fields that “may have
been accessed” include:

  • First and last names
  • Email address
  • Job title and job role
  • Primary job function and direct
    supervisor
  • Gender
  • Date of birth
  • Address (either business of
    personal), including country, province or state, city, and postal code
  • Company name and size
  • Employee industry
  • Payroll software used at workplace
  • Time and attendance software used at
    work
  • Profile photos and social media
    username information (for “some” accounts only)

Embarrassingly,
the APA seems to admit its technicians failed to deploy the necessary patches
at the right time, leading to hackers exploiting known vulnerabilities in its
systems.

“Since
discovering the cyberattack, APA has installed the latest security patches from
our content management system to prevent any further exploitation of their
website,” the statement continues. “APA technicians also reviewed all code
changes made to the APA website since January; installed additional antivirus
software on our servers; and increased the frequency of security patch
implementation.”

If you are a
member of the APA, check your bank statements closely in the coming months and watch
out for any phishing attempts, either by email or SMS. As a general rule, never
respond to unsolicited messages asking for your personal data.