Parents who made payments to UK schools in recent days via the Wisepay service have been warned their card details have been compromised.
Wisepay said a hack of its website meant an attacker was able to harvest payment details between 2 and 5 October via a spoof page.
Attempted payments to about 300 schools have been affected by the scam.
But the firm said only a small number of the pupils’ parents would have used its system before it was taken offline.
Its managing director said this was because the type of cashless payments made – covering things like exam fees and school meals – would not be done on a daily basis.
“Actually, it’s quite a small subset of users of the platform,” insisted Richard Grazier.
The attack occurred on a Friday night and was not noticed until the following Monday morning at 10:00 BST.
At that point Wisepay’s website was taken down, Mr Grazier said.
It had since come back online and was now safe to use, he added.
Mr Grazier said the hacker had managed to find a “backdoor” into the system’s database and had modified one page.
As a result, when users clicked to make a payment, they were redirected to an external page controlled by the attacker.
This was “spoofed” to look like a legitimate payment page – but anyone who entered their debit or credit card details was effectively sending them to the cyber-criminal.
It’s early stages, but it appears that Wisepay may have been victims of a credit card skimming attack sometimes referred to as a Magecart hack.
Attackers didn’t break into any databases to steal the information, they took over the live payment page.
So if I paid for a service at my son’s school during the period the hackers had control of that page, they would have access to all my credit card details as I entered them to the system.
These attacks never last for long as the hackers are usually found fairly quickly and kicked out of the system. So cyber criminals have to choose targets with highly active payment systems. As a company that provides payment services for multiple schools and colleges, Wisepay may have been a worthy target.
Investigators including The Information Commissioner’s Office will now try to work out how many customers lost their credit card information in the three days of this attack.
Larger Magecart hacks have proven to be extremely successful for attackers. In 2018, nearly 400,000 customers had their credit card details stolen when the British Airways website was similarly compromised for around 15 days.
In that instance, the ICO said it intends to fine BA a record £183m – although it is yet to be concluded.
Wisepay said it does not store any payment information itself and had not leaked any of its own records.
But in a letter to schools, it recommended that parents who thought they might been affected should pause or cancel their bank cards, and change any online banking passwords.
The Information Commissioner’s Office said Wisepay had notified it of “a potential data breach and we will be making further enquiries”.
The firm also said it had contacted the police and had “engaged a computer forensics expert” whose work was ongoing.