Website Incident - Temporarily Placed in Maintenance
Avery has never stored credit card information on the Website. Any credit card information you enter through the use of the site remains on your browser and is sent to a third-party gateway (e-way) for processing.
The only information Avery collects on the website is information enabling us to ship you an order and to allow you to store your designs.
The website is safe to use.
Following reports received from a customer on 19 February 2018, our external IT team commenced an extensive investigation as to why that customer had reported the attempted activation of malware whilst visiting the WePrint website. This attempt was blocked by the customer’s anti-virus software. Our customer support team received a second report from a customer on 26 February 2018, and a third report on 6 March 2018. Each of these attempts were blocked by the customer’s browser (chrome) and an anti-virus program AVG in the case of the event on 6 March 2018. The Trojan reported was JS:Includer-BMF.
On 12 March 2018, our IT team was able to track down the reason why these events were triggered and took steps to shut down the website and remove the malware and put in place additional controls to provide further protection.
How did it happen?
Our IT team carefully reviewed the logfiles and other material to investigate. This is what we now know.
On 17 November 2017, an unauthorised user gained remote access to Avery’s WePrint website by exploiting a flaw in the ecommerce system used by Avery and many other online merchants. The flaw permitted the user to bypass the various security systems and processes established by Avery to protect the WePrint website.
The malware installed on the site did not lead to a loss of information from the WePrint website. Rather, the purpose was to seek to facilitate the loading of malware on to customers’ browsers, particularly those without up-to-date browsers or anti-virus software.
If not blocked, the malware installs itself onto a user’s computer and is used to record a user’s keystrokes in a browser when entering, for example, credit card information. The malware then transmits (harvests) that information from the user to a remote point for collection.
Avery’s website was not involved in this harvesting and has never received your credit card information.
Am I at risk?
We do not have any reason to suspect that your particular credit card was harvested in this matter or that your visit to the site led to any particular use. The only reports we have had suggest that browsers and anti-virus programs blocked any attempts to load the malware.
We have not received any reports of credit card misuse on our site or card fraud.
To use the Avery site, you need to have an up-to-date browser because of the advanced printing design features we provide. This makes it more likely that your browser would have blocked the attempt, just as it has done for the customers that have reported the issue to us.
If the risk is low, why are you telling me?
Whilst we think that the risk is low, we wanted to let you know about this event and to be transparent with you and to assure you that we take your privacy and online safety and security very seriously.
How can I get more information?
Should you have any other concerns, please contact our customer service team
Our contact details are as follows:
You can contact Avery Products PTY LTD by emailing firstname.lastname@example.org or by sending us a letter at: 11 Carrington Road Castle Hill NSW 2154 or by phoning us at: Australia: 1800 644 353, New Zealand: 0800 228 379 during normal business hours EST.