Avery Products, the world's largest label supplier, revealed that a December ransomware attack investigation uncovered a separate data breach affecting approximately 67,000 customers.
The company discovered malicious software on their website that collected credit card information between July 2024 and January 2025. According to notices filed with multiple state regulators, hackers inserted malware into the credit card entry form, enabling them to capture customer payment details.
The compromised information included customer names, billing and shipping addresses, phone numbers, credit card data, CVV numbers, and expiration dates. While the ransomware attack only impacted a payment processing application rather than Avery's internal systems, the broader investigation revealed this additional security breach.
Two customers have reported fraudulent charges and phishing emails to Avery. The company initially believed the stolen data had not been misused but now acknowledges the possibility that payment information may have been acquired and exploited.
Avery has filed breach notification letters in several states including Maine, California, Texas, Massachusetts, Vermont and Iowa. The company has not confirmed whether the ransomware attackers were also responsible for implementing the credit card scraping malware or if the incidents are connected.
The discovery highlights how initial cyber incidents can sometimes lead to the detection of additional ongoing security compromises when organizations conduct thorough forensic investigations.