Full Report
An investigation into a ransomware attack led label-maker Avery Products to also find malware that was skimming credit card details from transactions on its website, according to a data breach notification by the company.
Analysis Summary
# Incident Report: Ransomware Pretext for Web Skimmer Data Breach at Label Supplier
## Executive Summary
A ransomware attack discovered on December 9, 2024, prompted an investigation at Avery Products, revealing a parallel data breach where malicious software was used to scrape customer credit card and personal information from the company's website between July 2024 and January 2025. While the ransomware attack targeted payment processing application systems and did not affect internal operations, the subsequent data compromise exposed data for approximately 67,000 customers, leading to confirmed customer reports of fraudulent charges and phishing attempts.
## Incident Details
- Discovery Date: December 9, 2024 (Ransomware discovery, leading to data breach investigation)
- Incident Date: Data scraping occurred between July 18, 2024, and January 5, 2025. Ransomware discovered December 9, 2024.
- Affected Organization: Avery Products (World’s largest supplier of labels, specialty converted media, and software solutions).
- Sector: Manufacturing (and Retail/E-commerce component).
- Geography: USA (Notices filed in Maine, California, Texas, Massachusetts, Vermont, and Iowa).
## Timeline of Events
### Initial Access
- **Date/Time:** Attack window began July 18, 2024.
- **Vector:** Insertion of malicious software (web skimmer/malware) onto the credit card entry form on the company website.
- **Details:** The malware was specifically inserted into the payment processing application, allowing unauthorized viewing and scraping of data entered by customers.
### Lateral Movement
- *Not explicitly detailed for the data breach; the ransomware incident stated it did not affect internal Avery systems.*
### Data Exfiltration/Impact
- **Date/Time:** During the window of July 18, 2024, to January 5, 2025.
- **Details:** Names, billing and shipping addresses, phone numbers, payment card information (including CVV numbers and expiration dates) were stolen for approximately 67,000 customers. The company later acknowledged the potential for fraud after receiving customer complaints.
### Detection & Response
- **Detection:** Ransomware attack was discovered on December 9, 2024. This prompted an in-depth forensic investigation which uncovered the preceding data scraping activity.
- **Response Actions:** Initiated forensic investigation, filed breach notification letters to regulators in multiple states (ME, CA, TX, MA, VT, IA), and began communication with affected customers.
## Attack Methodology
- **Initial Access:** Injection of malicious software onto the payment application's credit card entry form (Web Skimming/Magecart-style attack).
- **Persistence:** Not explicitly detailed for the skimming component.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Malware ran within the payment processing application environment, likely designed to blend in with legitimate form scripts.
- **Credential Access:** Direct harvesting of payment card numbers and associated PII entered by users.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed regarding internal network movement for the web skimmer.
- **Collection:** Scraping credit card information, names, addresses, phone numbers, and CVV/expiration dates.
- **Exfiltration:** Implied via communication channels established by the malicious software.
- **Impact:** Financial data theft and exposure of Personally Identifiable Information (PII).
## Impact Assessment
- **Financial:** Not quantified, though customer reports of fraudulent charges suggest direct financial impact on affected individuals.
- **Data Breach:** Information for approximately 67,000 customers exposed, including full payment card details (including CVVs) and PII (names, addresses, phone numbers).
- **Operational:** The ransomware attack "did not affect Avery’s internal systems," but the investigation and remediation related to the data breach likely incurred significant operational and response costs.
- **Reputational:** Public breach disclosures across multiple state regulators, impacting customer trust.
## Indicators of Compromise
*Note: No specific indicators (IPs/URLs/Hashes) were provided in the context, this section remains generalized.*
- **Network indicators:** Unknown malicious outbound communication related to data exfiltration from the compromised web application server.
- **File indicators:** Undisclosed malware/script files injected into the payment processing application code base.
- **Behavioral indicators:** Unusually high volume of credit card data transmissions from the web server environment during the specified engagement window.
## Response Actions
- **Containment:** Isolation or removal of the malicious software from the credit card entry form. Segmentation/isolation of the affected payment application environment.
- **Eradication:** Forensic investigation to determine persistence mechanisms and remove all unauthorized code.
- **Recovery:** Communicating with customers, notifying regulators across multiple states, and likely re-securing or rebuilding payment processing infrastructure.
## Lessons Learned
- A ransomware incident can sometimes act as a trigger or camouflage for discovering pre-existing, long-running data breaches, suggesting potential long-term network weakness or poor segmentation between different threat types.
- Payment application security was insufficient, allowing persistent malware introduction for over six months undetected.
- The full scope of impact (including CVV numbers being exposed) resulted in a significantly higher risk profile than initially assessed.
## Recommendations
- Implement continuous, real-time integrity monitoring (File Integrity Monitoring or synthetic transaction monitoring) on all payment processing application fronts to immediately detect script injection.
- Conduct independent, quarterly third-party security assessments specifically targeting web skimming vulnerabilities across all e-commerce portals.
- Review logging and alerting configurations to ensure that high-volume data egress from public-facing application servers is flagged, even if the initial malware is not detected.