Parents who have made payments to UK schools via the Wisepay programme in recent days have been alerted that their card details have been compromised.
Wisepay said that the hack of his website meant that the attacker was able to collect payment details between 2 and 5 October via a spoof page.
Attempted payments to about 300 schools have been hit by the scam.
Yet the company said that only a limited percentage of pupils’ parents would have used the system before it was taken offline.
Its managing director said this was because the kind of cashless payments made-including exam fees and school meals-would not be made on a daily basis.
“Right now, it’s quite a small subset of platform users,” said Richard Grazier.
The attack occurred on Friday night and was not observed until 10:00 BST on the following Monday morning.
The website of Wisepay was taken down at that point, Mr Grazier said.
It had come back online ever since, and was safe to use now, he said.
• Bank details exposed in Blackbaud charities hack
• Blackbaud hack: More UK universities confirm the breach
Mr Grazier said the hacker had managed to find a “backdoor” into the system’s database and had modified one page.
As a result, whenever users clicked to make a payment, they were redirected to an external page controlled by the attacker.
This was “spoofed” to appear like a legitimate payment page-but everyone who entered their debit or credit card details was effectively sending them to the cyber-criminal.
It’s early days, but it seems that Wisepay may have been the target of a credit card skimming attack often referred to as a Magecart hack.
Attackers did not break into any databases to steal the details, they took over the live payment page.
So if I paid for a service at my son’s school during the time the hackers were in control of that page, they would have access to all my credit card details when I entered the system.
This attacks never last for a long time since hackers are usually found fairly easily and kicked out of the system. Cybercriminals would also choose targets for highly active payment systems. As an organisation offering payment services to multiple schools and colleges, Wisepay may have become a worthy target.
Investigators, including the Information Commissioner’s Office, will also attempt to figure out how many customers lost their credit card information in the three days after the attack.
Larger Magecart hacks have proved to be extremely successful for attackers. In 2018, about 400,000 consumers had their credit card details stolen as the British Airways website had been similarly compromised for around 15 days.
In that case, the ICO said that it intends to fine BA with a record of £183 m – but it is yet to be concluded.
Wisepay said that he did not keep any payment details on his own and that he had not leaked any of his own records.
However, in a letter to the school, it recommended that parents who felt they could be affected should pause or cancel their bank cards and change any online banking passwords.
The Information Commissioner said that Wisepay had notified it of a “possible breach of data and we will carry out further enquiries.”
The company also said that it had contacted the police and had “engaged a computer forensic expert” whose work was ongoing.