Avery Products Corporation reports data breach caused by card skimming attack on their website

Avery Products Corporation, an American manufacturer of self-adhesive labels and printing services, has disclosed a significant data breach resulting from a card skimming attack on their website.

The incident involved both a ransomware attack and the deployment of malicious code designed to steal customer payment information. The attack began on July 18, 2024, but was only discovered 5 months later, on December 9, 2024

Threat actors planted a card skimmer on the company's e-commerce website (avery.com) to intercept customer payment information during checkout. At least 61,193 customers had their data exposed. Exposed data includes:

• First and last names
• Billing and shipping addresses
• Email addresses
• Phone numbers
• Payment card numbers
• CVV codes
• Card expiration dates
• Purchase amounts

Some customers have reported fraudulent charges and many have reported receiving phishing emails. Avery has sent notification letters to affected individuals and relevant authorities and is offering 12 months of free credit monitoring through Cyberscout.

The company claims that Social Security numbers, driver's license numbers, government-issued ID numbers, and dates of birth were not compromised.