Data Security, Breach, Privacy

Electronic payment firm Slim CD notifies 1.7M customers of data breach

Share

Slim CD, a company that provides processing services for electronic payments, has notified nearly 1.7 million credit card holders that their data may have been stolen in a June breach.

In a website notice published by Slim CD, as well as breach notification letter samples provided to the attorneys general of Maine, California and Vermont, the company admitted that their systems were accessed by an attacker between Aug. 17, 2023, and June 15, 2024.  

However, the notifications state that credit card information was only accessed between June 14 and June 15, 2024. The intrusion was discovered on June 15 and an investigation by a third-party expert that uncovered the full scope of the attack, according to Slim CD.

“When organizations realize that cybercriminals are inside their network for long periods, there is a gap with continuous security monitoring. Accompanied by a robust Security Incident Management (SIEM) system integrated with threat intelligence, the breach could have been detected sooner,” James McQuiggan, a security awareness advocate at KnowBe4, told SC Media.

Affected individuals, who made credit card payments on the websites of United States and Canada-based Slim CD clients, began receiving breach notifications last Friday. Information potentially accessed by the attacker included names, addresses, credit card numbers and credit card expiration dates.

The incident was reported to federal law enforcement and regulatory authorities. Slim CD said it reviewed its data privacy and security policies and implemented additional safeguards following the incident.

The California version of the sample breach notification included instructions to enroll in complimentary credit monitoring, insurance reimbursement and identity theft recovery services through IDX, with an enrollment deadline of Dec. 5, 2024.

No further details or attribution regarding the attack have been disclosed by Slim CD.

“Organizations must ensure that protection their intellectual property or customer data is the highest level, and using the highest level of security will significantly reduce the risk of an attack. All human interactions must use proper account management, such as multi-factor and non-phishable authentication (MFA),” McQuiggan said. “Organizations with sensitive data must employ proactive, layered security measures, combining technology solutions with user education and fast incident response practices to stand up against cyber threats.”