Menu
Browse

Cyber Incident Victim: Avery Products Corporation

Date:

Jul 2024

Location:

United States of America

Summary

Avery Products Corporation suffered a data breach after its website was compromised with a card skimmer. The malicious software was used to scrape sensitive customer payment information inputted on the online shop over a period of several months. The exfiltrated data included names, addresses, email addresses, phone numbers, and full payment card details. The incident impacted over 61,000 customers.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 2 techniques
Threat Actors Type Location
0 actors Available to members Available to members

Description

Avery Products Corporation, an American manufacturer and seller of self-adhesive labels and printing services, suffered a data breach after its website was compromised. The company discovered it was attacked on December 9, 2024, and immediately launched an internal investigation with the aid of digital forensic experts. The investigation determined that threat actors had planted a card skimmer on the company's online shop domain, 'avery.com,' on July 18, 2024. This malicious software was used to scrape sensitive payment information from customers who used the website between July 18, 2024, and December 9, 2024. The compromised data was exfiltrated to the threat actors. The company stated the incident was related to a ransomware attack on certain systems, though the primary impact was the theft of customer payment data.

Cyber Incident Image

The data compromised in the breach included customers' first and last names, billing and shipping addresses, email addresses, phone numbers, payment card numbers, CVV codes, expiration dates, and purchase amounts. The exposure did not include Social Security numbers, driver's license numbers, government-issued ID numbers, or dates of birth. According to a filing on Maine's Attorney General portal, the incident impacted 61,193 customers. Avery received emails from customers reporting fraudulent charges and phishing attempts, leading the company to conclude it was possible the stolen information was being misused. In response, Avery is providing impacted customers with 12 months of free credit monitoring service through Cyberscout. The company also advised recipients of its data breach notification to be cautious of unsolicited communications and to report any suspicious activity on their accounts to their bank and authorities. A dedicated assistance line was set up to address customer questions and concerns.

Sources
Sources available to members
1 source