Cyber Incident Victim: American Payroll Association
Date:
May 2020
Location:
United States of America
Summary
The American Payroll Association suffered a Magecart-style skimming attack where threat actors exploited a CMS vulnerability to deploy malicious scripts on its website login and e-commerce checkout pages, compromising personal and payment information. The breach exposed names, email addresses, job titles, company details, addresses, payroll software usage, and in some cases social media profiles. The organization addressed the incident by patching the CMS vulnerability, enhancing security monitoring, resetting user passwords, and offering affected individuals identity theft insurance and credit monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The American Payroll Association (APA) experienced a data breach after attackers compromised its website login page and online store checkout section using a web skimmer. The incident began on May 13, 2020, when threat actors exploited a vulnerability in the organization's content management system (CMS) to deploy malicious scripts designed to harvest sensitive information. This Magecart-style attack targeted individuals accessing the APA's website, which serves over 20,000 members and facilitates training seminars attended by approximately 36,000 professionals annually. The skimmer operated undetected for over two months until its discovery on July 23, 2020, during which it collected login credentials (usernames and passwords) and payment card details entered by users. Compromised personal data included first and last names, email addresses, job titles, primary job functions, reporting structures, gender, dates of birth, and both business and personal addresses with geographic details. Additional exposed information encompassed company names, company sizes, employee industries, payroll software used at workplaces, and time and attendance software utilized by affected individuals. Social media profile data was also accessed in some cases.
Upon identifying the breach, APA immediately patched the CMS vulnerability used by the attackers and implemented enhanced security monitoring measures across its digital infrastructure. The organization reset all affected user passwords to prevent unauthorized account access stemming from compromised credentials. To address potential financial fraud and identity theft risks for impacted individuals, APA arranged for $1 million in identity theft insurance coverage and provided one year of complimentary credit monitoring services through Equifax. The breach specifically impacted members and customers who interacted with the compromised login and e-commerce pages during the two-month intrusion period. As a nonprofit issuing industry certifications and maintaining a professional resource library, the incident disrupted normal operations and necessitated direct breach notifications to those whose data was exfiltrated. No information regarding the identity or motives of the threat actors was disclosed in available reports.