APA Statement on Data Breach
Over the last few days, we’ve seen various media stories and comments about the recent cyberattack on our website that led to a data breach. We want to make sure that anyone who may have been affected by this breach is fully aware of what happened and is protected in the future. Our goal is full transparency, and that’s why we are working to comply with all state, federal, and global guidelines for notification and reporting. APA has succeeded for nearly 40 years because we value and respect our members and customers. We take the privacy and security of your information very seriously.
We found it truly upsetting when we learned in July that we had been the target of this cyberattack. It was a novel (new) “skimming” attack, which means it was designed to grab the data that visitors typed while visiting our websites. Our databases were not breached, but thieves may have accessed some of that typed data. Once we discovered the cyberattack, the clear directive for our team was to act quickly to determine the cause, secure our systems, and identify and notify the individuals who may have been impacted by the security incident.
As you all have heard during breaches involving Equifax, Target, Chipotle, and other major companies, data thieves are constantly trying to steal data. This has been occurring for years, and we regularly update our software, defenses, and procedures to combat such theft. This particular skimming hack was created in April 2020. However, this was a novel hack, and the security companies that businesses like ours depend on to monitor and discover these vulnerabilities did not identify this particular threat until July 7. We became aware of the cyberattack on the APA website on July 13. Our IT and Customer Service teams fixed the issue just days later, on July 16.
On July 29, APA required all users of its website, whether or not their data may have been compromised, to change their password. We did this to ensure that the stolen data could not be used to gain access to the APA website.
APA is in the process of notifying all affected users. In its notification letters, APA is providing information on how affected users can protect their identity. For those users in the U.S. and Canada whose financial data was compromised, APA is offering credit monitoring for a period of one year and identity theft insurance, at no cost to the individual.We understand the importance of our role as custodians of your information and we will work every day to guard your information and regain your trust. We do not take that responsibility lightly. We pledge that in the weeks, months, and years ahead, APA will continue to take active steps to protect its customers against any future malicious attacks. And we will always be transparent with our members and customers.