Almost 1.7 million consumers in the US and Canada may have had their data exposed in a massive credit card database breach.
Florida-based Slim CD, a payment processor, is sending emails to customers that their information may have been accessed anytime from August 2023 to June 2024.
The company provides software systems to merchants, allowing them to take any kind of electronic payment, both online and in-person, across variety of hardware.
Slim CD, which only discovered the hack in June of this year, warned that 'identity theft and [financial] fraud' may be issues after finding that individuals' names, addresses, credit card numbers and credit card expiration dates were all accessed.
While it is unknown how many of the 1,693,000 customers were directly impacted in the 'data event,' 797 residents of Maine were confirmed to be the most at-risk, according to the warning notifications issued Friday by Slim CD.
Representative of the Coral Springs headquartered payment processor did not disclose whether Maine residents had been expressly targeted by the hackers, or if this portion of Slim CD's database had simply proven to be the most vulnerable.
Although the hackers fortunately did not obtain 'card verification numbers' (CVVs) during the hack, cybersecurity experts and Slim CD itself have cautioned that card holders should take action to protect themselves.
Without CVV information, cybercriminals would be forced to attempt further hacking gambits to actually be able to make fraudulent transactions with these stolen cards.
These follow-up hacking attempts could take the form of 'phishing' emails or text messages to those already victimized by the data breach, meaning those whose card information has been stolen are advised wary of requests for more private data.
Security experts advised that credit card owners who believe they might have been victimized by the breach should contact their bank or credit card provider immediately about getting a replacement card.
Additionally, potential victims may want to also closely monitor their financial accounts for signs of fraud, particularly unauthorized transactions or more subtle changes to personal account information.
While Slim CD did not specify how exactly its attackers managed to gain entry to its system in its public 'Data Event' notice (PDF), 'experts believe that a combination of phishing, malware, or social engineering tactics may have been employed,' according to UK tech site HackRead.
Shockingly, the payment processor disclosed that the hackers appear to have first gained entry to their system on August 17, 2023 but only kicked off in mid-June 2024.
This 'unauthorized system access,' based on their investigation, was finally flagged that month, when the hackers made a run for the firm's database of credit card information.
'That access may have enabled an unauthorized actor to view or obtain certain credit card information between June 14, 2024, and June 15, 2024,' according to Slim CD.
Under ordinary circumstances, a company that has discovered a data breach will typically offer those impacted by its own security lapses 'free access to either the best identity theft protection services or at least credit monitoring,' VPN privacy tester and security writer Anthony Spadafora noted.
And, fortunately, senior leaders at Slim CD tell DailyMail.com that they are doing exactly that for impacted individuals.
'We are providing credit monitoring to individuals in accordance with state and federal laws,' Slim CD's chief technology officer Frank Haggar said via email.
However — as listed on an advisory notice by Office of the Maine Attorney General — Slim CD has not, at least, offered 'identity theft protection services' to victims in that northeastern state at the time of their posting.
Per its direct notice to the 800 or so most 'at risk' Mainers whose private credit card info was stolen in the hack, the company is also providing broader guidance as well.
Slim CD said it's 'providing individuals with information on how to place a fraud alert and security freeze on one's credit file, the contact details for the national consumer reporting agencies, [and] information on how to obtain a free credit report.'
The firm added it was also offering users of its customers' payment software 'encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.'