Massachusetts-based automotive parts seller ID Parts is notifying roughly 12,000 individuals that malicious code was inserted into the functions that process customer payment information on the ID Parts website, and their credit card information was stolen.

How many victims? Roughly 12,000. 

What type of personal information? Credit card numbers, expiration dates, and CVV/CVV2 security codes.

What happened? Malicious code was inserted into the functions that process customer payment information on the ID Parts website, and customer credit card information was stolen. The information was then emailed to an unknown third party.

What was the response? The malicious code was immediately disabled upon discovery, and was isolated in a development environment for investigation and testing. ID Parts conducted a server-wide search of related code and did not identify any additional instances of malicious code. ID Parts changed the passwords on all system accounts associated with its domain, and is reviewing data security policies and procedures. All impacted individuals are being notified.

Details: American Express notified ID Parts in early October 2014 that the ID Parts website was the common point of purchase in a fraud investigation. ID Parts discovered the malicious code on Oct. 28, 2014. An investigation suggested that the malicious code was inserted into the website in January 2014. It does not appear that the malicious code captured or emailed customer names, addresses or phone numbers, and purchases made using PayPal, check or money order or a credit card saved to the customer's account gateway were not targeted or affected by the malicious code.

Quote: “Based on server access logs, it does not appear that any unauthorized user currently has access to the server,” according to a notification letter signed by Peter Noble, manager of ID Parts.

Source: doj.nh.gov, “ID Parts, LLC,” Dec. 18, 2014.