Payment-processing company says data breach potentially affected 1.7 million people

Slim CD, a company that provides software to merchants for processing electronic payments, said the credit card information of nearly 1.7 million people was exposed to an “unauthorized actor” in mid-June.

The breached data potentially included “name, address, credit card number, and card expiration date,” but there is “no evidence that any such information has been used to commit identity theft or fraud,” the Florida-based company said in a notification letter filed September 6 with regulators.

The company has not released details about the nature of the intrusion or the attackers.

Slim CD’s Gateway product allows merchants in the U.S. and Canada “to take any kind of electronic payment with a single piece of software” that connects to broader processing networks like Visa or Mastercard.

The company said 1,693,000 people were affected by the breach, but did not break down that number by region. 

Slim CD said it took the usual steps of notifying law enforcement, calling in a third-party security specialist and reviewing its policies to help stop a similar incident from happening again.

The company said its own investigation revealed that the intruder had access to company systems as early as August 2023, but the actual data breach did not occur until June 14, 2024, lasting about a day. 

Payment processing has long been a target for cybercriminals, with recent incidents affecting a nationwide system in India, a buy-now, play-later platform and a company that handles services such as prepaid cards and digital banking.Stolen payment card details are often sold in batches on the dark web, resulting in billions of dollars in losses globally for card issuers.