Avery had credit card skimmer stuck on its site for months
The consequences of a wave of credit card skimmers—which is normal around the holidays—are starting to show.
Label maker Avery has filed a data breach notification, saying 61,193 people may have had their credit card details stolen.
On December 9, Avery said it became aware of an attack on its systems. An investigation showed that cybercriminals had inserted malicious software that was used to “scrape” credit card information used on its website. This credit card skimmer was active between July 18, 2024, and December 9, 2024.
Avery has sent emails to affected customers to let them know their data has been stolen.
The information potentially included:
- First and last name
- Billing and shipping address
- Email address
- Phone number if provided
- Payment card information including CVV number and expiration date
- Purchase amount
Avery says it has received a number of reports from affected customers who said that they incurred a fraudulent charge and/or received a phishing email.
A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses.
When visiting a site that has a card skimmer on it, you’re unlikely to even know it is there. Card skimmers are experts in injecting JavaScript code, especially on web shops which heavily rely on that type of code, which increases the chance that the extra code will not stand out. Sadly, card skimmers are all too commonplace, but there are things you can do to prevent your details being caught by one.
How to protect yourself from card skimmers
- Run a security solution and keep it up to date. Most antivirus products—including Malwarebytes Premium—offer some kind of web protection that detects malicious domains and IP addresses.
- Enable in-browser protection. Malwarebytes Browser Guard—a browser extension available for Chrome, Edge, Firefox and Safari—blocks card skimmers. It also stops annoying ads and trackers, warns about breaches, and flags malicious websites. You can see it in action here, blocking a piece of JavaScript hosted on an otherwise legitimate site:
- Keep an eye on your financial statements. Regularly check your online bank and credit card statements. Flag anything that seems suspicious.
- Set up identity and credit monitoring. Identity monitoring alerts you if your personal information is found being illegally traded online, and helps you recover after. Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you (like Avery is), but you can also get different levels of monitoring solutions, depending on your individual need.
More information on how to act after falling victim to a data breach can be found in our article: Involved in a data breach? Here’s what you need to know.
