Around 1.7 million people will receive a letter from Florida-based Slim CD, if they haven't already, after the company detected an intrusion dating back nearly a year.
Slim CD provides payment processing solutions - and credit card numbers along with their expiry dates are among the data types potentially compromised in the incident.
The cardholder's name and address may also be affected, meaning potential for financial fraud should that data be sold, although Slim CD says it hasn't detected any misuse of the data.
"Slim CD takes the confidentiality, privacy, and security of information in its possession very seriously," the company said in a letter to potentially affected individuals. "Upon discovery of this incident, Slim CD quickly commenced a thorough investigation and took steps to implement additional safeguards and review our policies and procedures relating to data privacy and security.
"Slim CD also took steps to report this incident to federal law enforcement, and regulatory authorities, as required by law. Slim CD has been working diligently to provide affected individuals with accurate and complete notice, and on September 6, 2024, Slim CD began sending emails to potentially affected individuals."
- The fingerpointing starts as cyber incident at London transport body continues
- Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data
- AMD internal data reportedly offered for sale
- 31.5M invoices, contracts, patient consent forms, and more exposed to the internet
The Register asked Slim CD for additional information, and we'll update the story if it responds.
Among the questions we put to the company was why it took so long for the break-in to be detected, and whether it believed there were any failures in its ability to detect such incidents.
A postmortem carried out by the company and third-party experts revealed that the intrusion began on August 17, 2023, but was only discovered "on or about" June 15 this year.
Slim CD didn't say what system or systems were compromised as a result of the attack but confirmed that credit card-related data may have been accessed between June 14 and June 15, suggesting this was what alerted the company to the initial intrusion.
What the attacker did with the access prior to June 14 remains a mystery. We have also asked Slim CD about this.
There was no apology in the letter [PDF] sent to the 1.693 million potentially affected customers, who were instead encouraged to order a free credit report and remain vigilant against any malicious account activity. ®