Industry News

American Payroll Association Forgets to Patch Web Portal, Hackers Skim Credit Cards and Passwords Off Site

• American Payroll Association uncovered unusual activity on the site dating back to May 13
• Hackers exploited vulnerability to deploy card-skimming techniques and steal credit card data
• Identity thieves gained access to login information (i.e. username and password) and individual payment card information
• APA notice suggests IT reps forgot to patch the web portal

The American Payroll Association (APA), a professional association for individuals responsible for processing company payrolls, is warning clients of a breach discovered recently that exposed large amounts of financial and personal data.

Identity thieves use skimming to capture payment and personal information from a credit card holder. Skimming techniques typically involve physical alterations to an ATM or POS, but in some cases, it can be done solely through software. Apparently, that’s what happened at APA when the association’s IT guys uncovered “unusual activity on the site dating back to May 13, 2020 at approximately 7:30 pm CT.”

“The APA experienced a skimming cyberattack in which personal information was accessed by unauthorized individuals,” the notification reads, according to

“The source of the cyberattack is thought to have been a vulnerability in APA’s content management system, which allowed a ‘skimmer’ to be installed on both the login webpage of the APA website, as well as the checkout section of the APA’s online store,” it states.

The attackers gained access to usernames and passwords as well as a ton of credit card information and associated data.

The notice states that, by way of account access, the electronic fields that “may have been accessed” include:

  • First and last names
  • Email address
  • Job title and job role
  • Primary job function and direct supervisor
  • Gender
  • Date of birth
  • Address (either business of personal), including country, province or state, city, and postal code
  • Company name and size
  • Employee industry
  • Payroll software used at workplace
  • Time and attendance software used at work
  • Profile photos and social media username information (for “some” accounts only)

Embarrassingly, the APA seems to admit its technicians failed to deploy the necessary patches at the right time, leading to hackers exploiting known vulnerabilities in its systems.

“Since discovering the cyberattack, APA has installed the latest security patches from our content management system to prevent any further exploitation of their website,” the statement continues. “APA technicians also reviewed all code changes made to the APA website since January; installed additional antivirus software on our servers; and increased the frequency of security patch implementation.”

If you are a member of the APA, check your bank statements closely in the coming months and watch out for any phishing attempts, either by email or SMS. As a general rule, never respond to unsolicited messages asking for your personal data.

In situations like these, organizations are obliged to offer free credit card monitoring for affected customers. If you believe you are affected by this hack, contact the APA to seek coverage for your credit card monitoring service.

About the author


Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.