Shoppers of 40 online stores have gotten their bank card numbers and addresses captured by a malware infection at backend provider Aptos.
The security breach occurred during the end of last year when a hacker was able to inject spyware into machines that was used by Aptos to host its retail services for several online shops. This software nasty got access to customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, reported.
According to these stores, which had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016, for a span of 11 months without getting noticed by the administration.
A spokesperson for Aptos – based in Atlanta, Georgia – told The Register they had been working with the FBI and US Department of Justice to investigate the ransacking, and were required to keep quiet about the infection for two months before notifying its customers.
Some of the customers, such as sweets site Affy Tapple, are reporting the bill for a year’s credit monitoring for the customers who were exposed by the breach. “Aptos has advised us that the unauthorized person(s) potentially had access to the payment card transaction records of 19 of Affy Tapple’s customers with billing addresses in Washington,” the site stated.
Other businesses will mostly be following their own disclosures submitting to the state. Aptos said it is enabling the companies affected handle the notifications by themselves and will not disclose their names. So if you ever shopped online around November last year, and you get a note from one of the 40 affected websites confessing your payment card details were stolen, you know who’s at fault.
Aptos, its CEO Noel Goggin, and his team.