Aptexx Affected

Notified:  August 28, 2014 Updated: July 01, 2015

Statement Date:   June 30, 2015

Status

Affected

Vendor Statement

Aptexx is diligent in its protection of customers Personal Identifying Information (PII) as defined Fed. Reg. 15736-15754 - “Sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.” The only information available to anyone who logs into Aptexx using the link referenced by CERT is a user’s First and Last Name. The account page does not display full credit card numbers, debit card numbers, or bank account numbers. This information resides in a different system controlled by a PCI Level 1 compliant third party and is not accessible via the payment URLs or by Aptexx. No personal bank account, credit card, or debit card information can be accessed or otherwise derived from the payment URLs. The URLs are only sent via e-mail or text message to users who have been previously authenticated by our clients. Each link is comprised of a randomly generated GUID. There is no inherent risk in displaying the last 4 digits of a bank account number or debit/credit card as that information is not sufficient to fraudulently issue transactions on an account. In 2014, Aptexx made the change recommended by CERT that requires users to authenticate with a username and password in order to access their account. In addition, Aptexx undergoes annual 3rd party infrastructure and application security penetration tests and resolves all issues as recommended by the independent 3rd Party.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.