Cyber Incident Victim: Aptos
Date:
Feb 2016
Location:
United States of America
Summary
A backend service provider suffered a security breach when attackers injected malware into its systems, compromising customer payment card details, personal information, and transaction records across 40 online retail clients. The malware operated undetected for an extended period, with law enforcement requesting a 60-day delay in public disclosure to aid the investigation. Impacted retailers independently notified affected individuals after the mandated silence period, with some offering credit monitoring services. The provider collaborated with federal authorities during the incident but delegated consumer notifications to its retail partners, which confirmed unauthorized access to sensitive financial and personal data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Aptos data breach originated from a malware infection impacting the backend systems of the retail services provider, compromising approximately 40 online stores between February and December 2016. Attackers infiltrated Aptos-hosted infrastructure, deploying spyware designed to harvest customer payment card numbers, expiration dates, full names, physical addresses, phone numbers, and email addresses. The intrusion remained undetected until November 2016, when Aptos discovered the compromise and initiated an investigation with the FBI and U.S. Department of Justice. Law enforcement requested a 60-day notification delay to preserve investigative integrity, preventing Aptos from alerting affected retailers until February 6, 2017. Retailers subsequently filed breach disclosures with state authorities, revealing the malware's 10-month persistence on Aptos systems. Liberty Hardware confirmed its February 7 notification from Aptos, while Affy Tapple identified 19 Washington-state customers with exposed payment records.
The delayed disclosure shifted consumer notification responsibilities to individual retailers, with Aptos declining to publicly identify impacted businesses. Affy Tapple offered affected customers one year of credit monitoring, while other retailers prepared similar breach disclosures throughout February 2017. The malware specifically targeted transaction records processed through Aptos' digital commerce platforms, though the infection vector remained unspecified. Federal investigators maintained oversight throughout the containment process, though no attribution or arrest details were disclosed. Retail breach notifications emphasized Aptos' operational role in the incident, with compromised merchants bearing direct costs for consumer remediation efforts. The incident exposed systemic risks in third-party retail service providers, with attackers exploiting centralized infrastructure to compromise multiple merchants simultaneously through a single intrusion point.