Online shops plundered by bank card-stealing malware after bungling backend Aptos hacked

Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos.

The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we're told.

Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos' customers – the retailers whose websites were infected by the malware on the backend provider's servers.

According to these stores, which have had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016.

A spokesperson for Aptos – based in Atlanta, Georgia – told The Register the biz had been working with the FBI and US Department of Justice to investigate the ransacking, and was required to keep quiet about the infection for two months before notifying its customers.

"As the 60-day period expired on Sunday, February 5, we contacted impacted retailers starting on Monday, February 6 to provide a synopsis of the situation," Aptos said.

"We are working closely with the specific digital commerce customers who were impacted by this incident to ensure affected consumers are notified in a transparent, accurate and timely manner in accordance with US-based state disclosure laws for data security incidents."

Among the affected companies is Liberty Hardware, which told the state of Montana that it was notified of the breach on February 7.

"Aptos has informed us that they discovered the intrusion in November 2016," Liberty Hardware said. "We understand that Aptos then contacted Federal law enforcement agencies and the US Department of Justice, and law enforcement requested that notification to businesses (including Liberty Hardware) be delayed to allow the investigation to move forward."

Some of the customers, such as sweets site Affy Tapple, are footing the bill for a year's credit monitoring for customers exposed by the breach. "Aptos has advised us that the unauthorized person(s) potentially had access to the payment card transaction records of 19 of Affy Tapple's customers with billing addresses in Washington," the site says.

Other businesses will likely be following with their own disclosures. Aptos said it is letting the companies affected handle the notifications on their own and will not name them individually. So if you shopped online around November last year, and you get a note from one of the 40 affected websites confessing your payment card details were stolen, you know who to blame.

Aptos, its CEO Noel Goggin, and his team. ®