Avery label maker confirms attack on its site, customer credit card info stolen

• Avery discovers a credit card skimmer installed on its website
• Tens of thousands of people have had their sensitive data taken
• It is now offering free credit monitoring services to affected individuals

Hackers have been discovered stealing payment and personally identifiable information (PII) from customers of printing giant Avery for over half a year, experts have claimed.

Tens of thousands of people may have been affected by the incident affecting Avery Products Corporation, a major manufacturer of printable labels, name tags, dividers, and other customizable office supplies.

In a data breach notification letter sent to affected customers, Avery said it became aware of a “ransomware attack” on December 9 2024.

Files abused in the wild

“Our investigation determined that an unauthorized actor inserted malicious software that was used to “scrape” credit card information used on our website between July 18, 2024, and December 9, 2024,” the letter reads.

The company added the scraper most likely exfiltrated people’s full names, billing and shipping addresses, email addresses and phone numbers, payment card information (including CVV numbers and expiration dates), and purchase amounts.

Social Security numbers (SSN), driver’s license numbers and other government-issued ID numbers, birth dates, and other sensitive personal information, were not taken, Avery said.

At first, the company did not see any evidence of in-the-wild abuse of the stolen information, but now it warns that it might have been the case.

“Initially, we had no evidence that any of the information was acquired (e.g., downloaded or exfiltrated from the website)," it added, "nor did we have any indication that the information had been used in any way – such as to make fraudulent purchases. We do not know if fraudulent charges are related to our website incident, but it now appears possible that payment-card (and other) information may have been acquired as we received two emails from customers who indicated that they incurred a fraudulent charge and/or phishing email. We received a number of similar reports this month.”

A separate report filed with the Maine Office of the Attorney General, Avery said that 61,193 people were affected by this attack. To mitigate the risks, the company is offering 12 months of free credit monitoring and identity theft protection services through Cyberscout.

Via BleepingComputer

You might also like

• Chinese hackers are switching to new malware for government attacks
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now