Select Page

Last week OnePlus reached out to its customers to inform them of a malicious attack that was put into the code of their payment page.

“Customers were informed Friday morning via email, which explained credit card numbers, expiration dates and security codes were all pilfered from customers who were entering their data into the website from mid-November through to January 11. That’s all the information anyone needs to start raiding bank accounts. Anyone who had saved credit card information or used PayPal shouldn’t have been affected, the company said.”

How did this happen? And how can we learn from this attack to better protect our schools, businesses & medical institutions?

“After an investigation and a temporary block enforced on credit card payments, OnePlus determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered.”

The payment page that OnePlus was using was not PCI compliant which allowed the hackers to infiltrate customers sensitive data, gaining access to credit card numbers, security codes, billing addresses, and even customer’s names.

“[OnePlus] should have been redirecting to the payment processors own payment page as that environment will be fully PCI [Payment Card Industry] compliant,” Fidus hacker and founder Andrew Mabbitt said. The PCI Security Standards Council sets minimum bars to reach for payment processors in protecting data.”

Ensuring your payment processing page and partner is operating as PCI Compliant is one step to improving the security of your customer’s data. Another way is to encrypt the data through Point-to-Point Encryption, or P2PE.

P2PE ensures that your customer’s data becomes encrypted immediately when the card is swiped, inserted, or typed, the encrypted data is stored within the processor’s network. The encrypted data is then turned into a “token” that is stored in the merchant’s network. The token communicates with the processor’s encrypted data to contact the bank and approve the charge.

If the data on your merchant network became compromised, or if for some reason a hacker got into your merchant system and got ahold of those tokens that were created from the original transaction, the information would be useless to the hacker.

If you are questioning if your payment page is PCI Compliant, most likely it is not. Connect with Arrow Payments to review your payment processing options and gain insight into your businesses payment security vulnerabilities before you experience a data breach and the costs that go along with a breach.

 Here to help,

Arrow Payments


Learn more:  Android PoliceForbes


Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

The Evolution of Higher Education Cyber Attacks

The Evolution of Higher Education Cyber Attacks

Higher education faces unique challenges when it comes to cybersecurity. Data breaches and ransomware attacks continue to plague colleges and universities, though most have taken steps to combat these threats. Even so, a recent report by cybersecurity company...

Guarding Against Payments Fraud

Guarding Against Payments Fraud

Payments fraud is a serious and ongoing challenge for treasury practitioners, requiring an increasing amount of vigilance and foresight. According to the 2023 AFP Payments Fraud and Control Survey, 65% of organizations reported being victims of payments fraud in 2022,...

Cultivating Emotional Intelligence in Leadership

Cultivating Emotional Intelligence in Leadership

We’ve discussed how emotional intelligence (EQ) makes you better at business. We’ve even talked about how EQ and payments are tied together. This article explores why EQ is crucial for leaders to possess. Yes, technical skills and a strategic mindset are valuable...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery