Slim CD, a payment gateway provider, has reported a data breach that compromised the personal and financial data of approximately 1.7 million individuals. The breach, which allowed hackers to access the company’s network for nearly a year, exposed sensitive information such as credit card numbers, expiration dates, and personal addresses.
Based in Florida, Slim CD provides payment processing solutions for businesses through web-based terminals, mobile, and desktop applications. The company detected suspicious activity within its systems on 15 June 2024. Following this discovery, Slim CD claims to have initiated a comprehensive investigation, engaging third-party cybersecurity experts to assess the scope and impact of the breach.
Slim CD customer credit card data potentially exposed
According to Slim CD, the investigation revealed unauthorised access to its network beginning on 17 August 2023 and lasting until 15 June 2024.
During this period, there was a two-day window, between 14 June and 15 June 2024, when the threat actors potentially viewed or accessed credit card data.
“The investigation identified unauthorised system access between 17 August 2023 and 15 June 2024,” a notification sent to affected individuals stated. “That access may have enabled an unauthorised actor to view or obtain certain credit card information between 14 June 2024 and 15 June 2024.”
The types of information exposed in this breach include full names, physical addresses, credit card numbers, and payment card expiration dates. Although the stolen data does not contain the card verification value (CVV), which is essential for conducting fraudulent transactions, the risk of credit card fraud remains a significant concern.
Upon detecting the breach, Slim CD is said to have quickly moved to secure its systems, assess the potential damage, and identify the affected cardholders.
The company notified relevant federal law enforcement agencies and initiated measures to enhance its cybersecurity defences to prevent similar incidents in the future. Slim CD is continuing to review its policies and procedures related to data security to mitigate the risk of future breaches.
Affected individuals have been advised by the firm to remain vigilant against signs of fraud or identity theft and to report any suspicious activity to their card issuer immediately. Slim CD has provided guidance on how to place fraud alerts and credit freezes on credit files and how to obtain free credit reports from major credit reporting agencies Equifax, Experian, and TransUnion.
Despite these efforts, Slim CD has not offered complimentary identity theft protection services to those impacted by the breach. The company has stressed the importance of ongoing vigilance, urging affected individuals to monitor their account statements and credit reports closely.
Slim CD’s services cater to various sectors, including retail, hospitality, and restaurants. However, most individuals receiving breach notifications are unlikely to have directly interacted with the company, as they were customers of merchants that utilise Slim CD’s payment processing services.
Credit card bonanzas for cyberattackers
The Slim CD incident is not isolated, as other financial institutions have also been recent targets of cyberattacks. Patelco Credit Union, a member-owned, not-for-profit financial institution based in Northern California, recently confirmed a significant data breach. This breach impacted 726,000 individuals following a ransomware attack by the RansomHub group, compromising sensitive customer information. The stolen data includes full names, Social Security numbers, driver’s licence numbers, dates of birth, and email addresses.
According to the CDW Cybersecurity Research Report for 2024, financial organisations are increasingly targeted and suffer more costly breaches compared to other sectors. Approximately 75% of financial services organisations have experienced at least one breach in the past five years, with many resulting in financial losses exceeding $5m per incident.
Read more: Car rental company Avis discloses cyberattack and data breach
