Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that remained active on its website for nearly five months. The malicious software was used to scrape customer payment information between July 18, 2024, and December 9, 2024.
Avery became aware of the attack on December 9, 2024, and launched an investigation, which revealed that cybercriminals had injected malware into its website. The skimmer harvested sensitive data, including names, billing and shipping addresses, email addresses, phone numbers, and full payment card details, including CVV numbers and expiration dates.
Affected customers have reported fraudulent charges and phishing emails since the breach. Avery has notified impacted individuals via email and is advising vigilance against potential scams. “We deeply regret this incident and are committed to enhancing our security measures to prevent future occurrences,” the company stated in its notification.
Credit card skimmers exploit vulnerabilities in website content management systems (CMS) and plugins, embedding malicious JavaScript to capture payment information. These attacks are particularly hard to detect, as the code blends seamlessly with legitimate scripts commonly used in e-commerce platforms.
To protect yourself from card skimmers, experts recommend using up-to-date antivirus solutions and enabling in-browser protections. Tools like Malwarebytes Browser Guard can block skimmers, detect malicious domains, and prevent phishing attempts. Customers are urged to monitor their bank statements for suspicious activity and report any fraudulent charges immediately.