Image: National Cancer Institute
The American Society for Clinical Pathology (ASCP) disclosed a payment card incident that impacted customers who entered payment info on its e-commerce website.
The Chicago-based association for medical professionals is the world’s largest such organization for pathologists and laboratory professionals.
Its member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.
Attackers targeted ASCP’s e-commerce site
“We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website,” ASCP said.
“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident.”
While the data breach notification seen by BleepingComputer has the breach time period redacted, information filed with relevant authorities says that the attackers had access to ASCP’s site on (or between) March 30, 2020, and November 6, 2020.
On March 11, 2021, ASCP discovered that the attackers might have had access to customers’ payment card information, including names, credit or debit card numbers, card expiration dates, and CVV (the three or four digit code on the front or back of the cards).
The pathologists association added that it found no evidence that customers’ exposed payment card info was misused after the incident.
ASCP also said it does not store any of its customers’ payment card data on its servers and that it implemented security measures to prevent similar incidents in the future.
We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity. — ASCP
All signs point to a Magecart attack
While ASCP didn’t explain this incident’s exact nature, all evidence points that its customers were the victims of a web skimming (also known as digital skimming, e-Skimming, or Magecart) attack.
Once deployed on a compromised online shop, these skimmers allow the attackers to harvest and steal the payment, and personal info submitted by the online stores’ customers and send it to remote servers under their control.
The attackers later use this data in various financial or identity theft fraud schemes or sell it to others on hacking or carding forums.
The FBI warned in October 2019 of Magecart threats targeting both government agencies and SMBs (small and medium-sized businesses) that process online payments.
The federal law enforcement agency also advised online shop owners to keep their software updated since it is one of the main mitigation measures against web skimming attacks.
An ASCP spokesperson was not available for comment when contacted by BleepingComputer earlier this week.