Corporate Misconduct Accountability Project
Slim CD, Inc. · Data Breach Notification
Slim CD Data Breach Exposed Customer Payment Info for 10 Months
Payment processor Slim CD, Inc. failed to detect unauthorized system access from August 2023 to June 2024, potentially exposing names, addresses, credit card numbers, and expiration dates of customers who paid merchants using their services.
HIGH SEVERITY
TL;DR
Slim CD, a payment processing gateway for US and Canadian merchants, discovered suspicious activity in its computer systems on June 15, 2024. Investigation revealed that unauthorized actors had access to their systems for nearly ten months, from August 17, 2023, through June 15, 2024. During this extended breach period, hackers potentially viewed or obtained sensitive customer information including names, addresses, credit card numbers, and card expiration dates. The company only detected the intrusion after ten months of vulnerability, placing thousands of consumers at risk of identity theft and financial fraud.
If you used a credit card at a merchant serviced by Slim CD, your financial data may be compromised.
10 months
Duration of undetected unauthorized system access
Aug 17, 2023
When unauthorized access to Slim CD systems began
June 15, 2024
When Slim CD finally detected suspicious activity
The Allegations: A Breakdown
Core Allegations
What they failed to protect · 6 points
| 01 | Slim CD allowed unauthorized actors to maintain access to its computer systems for nearly ten months, from August 17, 2023, to June 15, 2024, without detection. | high |
| 02 | The company failed to implement adequate monitoring systems to detect the intrusion for approximately 302 days, leaving customer payment data vulnerable throughout this period. | high |
| 03 | Unauthorized actors potentially viewed or obtained customer names, addresses, credit card numbers, and card expiration dates between June 14 and June 15, 2024. | high |
| 04 | Slim CD only became aware of suspicious activity on or about June 15, 2024, nearly ten months after the breach began, demonstrating inadequate security monitoring capabilities. | high |
| 05 | The company processed sensitive payment data for US and Canadian merchants without sufficient safeguards to prevent or promptly detect unauthorized system access. | medium |
| 06 | Customers received notification of the breach only after Slim CD completed its investigation and review of accessible credit card information to identify affected individuals. | medium |
Security Failures
How basic protections failed · 5 points
| 01 | Slim CD lacked effective intrusion detection systems capable of identifying unauthorized access in real time or even within a reasonable timeframe. | high |
| 02 | The company failed to implement security controls that would have prevented ten months of continuous unauthorized system access by malicious actors. | high |
| 03 | Slim CD only engaged a third-party specialist to investigate the incident after discovering suspicious activity, rather than having proactive monitoring in place. | medium |
| 04 | The payment processor handled electronic payments including credit card data without adequate safeguards to protect this sensitive financial information from unauthorized viewing or theft. | high |
| 05 | Slim CD took steps to implement additional safeguards only after the breach was discovered, indicating previous security measures were insufficient. | medium |
Profit Over People
Security as an afterthought · 4 points
| 01 | Slim CD appears to have underinvested in cybersecurity monitoring systems, as evidenced by the ten-month detection gap that allowed prolonged unauthorized access. | high |
| 02 | The company processed sensitive payment data for merchants across the US and Canada while maintaining inadequate security infrastructure to protect customer information. | high |
| 03 | Slim CD waited until after a data breach to review its policies and procedures relating to data privacy and security, rather than maintaining robust protections beforehand. | medium |
| 04 | The payment processor built its business model around handling credit card payments but failed to prioritize the security investments necessary to protect that data adequately. | medium |
Economic Fallout
Costs passed to consumers · 6 points
| 01 | Affected customers must now spend significant time monitoring their account statements and credit reports for suspicious activity and fraudulent charges. | high |
| 02 | Consumers face potential financial losses from fraudulent transactions made using their compromised credit card numbers and personal information. | high |
| 03 | Individuals whose data was exposed must navigate the complex process of placing fraud alerts or credit freezes, requiring extensive personal documentation and multiple contacts with credit bureaus. | medium |
| 04 | Victims of this breach may need to pay for extended credit monitoring services beyond any limited period offered by Slim CD, creating ongoing out-of-pocket expenses. | medium |
| 05 | Identity theft resulting from this breach could damage credit scores, affecting victims’ ability to secure loans, mortgages, or employment in the future. | high |
| 06 | The anxiety and stress of having financial information compromised imposes emotional and productivity costs that Slim CD does not compensate. | medium |
Community Impact
Trust destroyed · 4 points
| 01 | The breach erodes public trust in digital payment systems and the companies that handle sensitive financial information for everyday transactions. | medium |
| 02 | Customers who used credit cards at merchants serviced by Slim CD now face collective anxiety about the security of their personal and financial data. | medium |
| 03 | The incident contributes to growing public cynicism about whether corporations can be trusted to protect consumer data they collect and process. | medium |
| 04 | Affected individuals must divert time and energy away from their lives and work to manage fraud protection, representing a collective societal cost. | medium |
Corporate Accountability Failures
Response falls short · 5 points
| 01 | Slim CD fulfills only its minimum legal obligation to notify affected individuals, without offering concrete compensation for the risks it created through inadequate security. | high |
| 02 | The company places the burden of protection entirely on victims, advising them to monitor their own accounts and credit reports rather than providing comprehensive identity theft protection. | high |
| 03 | Slim CD reports the incident to federal law enforcement and regulatory authorities only as required by law, suggesting compliance rather than genuine accountability drives its response. | medium |
| 04 | The notification provides affected customers only with a dedicated phone line and mailing address for questions, offering no direct financial remediation or robust identity theft services. | medium |
| 05 | The company implemented additional safeguards and reviewed security policies only after the breach occurred, indicating reactive rather than proactive data protection practices. | medium |
The PR Machine
Minimizing through language · 5 points
| 01 | Slim CD frames the breach as an incident that may affect privacy, using softening language like may have enabled rather than directly stating customer data was compromised. | medium |
| 02 | The company apologizes only for any concern and frustration the incident may cause, minimizing the serious financial and identity theft risks customers actually face. | medium |
| 03 | Slim CD emphasizes that it takes data privacy very seriously and is committed to security, despite the ten-month detection failure that directly contradicts these claims. | medium |
| 04 | The notification describes discovering suspicious activity rather than acknowledging a massive security failure that left systems vulnerable for nearly a year. | medium |
| 05 | The company shifts responsibility to consumers by encouraging vigilance and providing lengthy instructions for self-protection rather than offering comprehensive company-funded remediation. | high |
Exploiting Delay
Ten months of vulnerability · 4 points
| 01 | Slim CD operated for ten months with compromised systems without detecting the intrusion, allowing the company to defer costly security improvements throughout this period. | high |
| 02 | The extended period between the start of unauthorized access on August 17, 2023, and detection on June 15, 2024, meant customer data remained at risk while the company continued normal operations. | high |
| 03 | Customers remained unaware their payment information was vulnerable for nearly a year, preventing them from taking protective action during the actual period of exposure. | high |
| 04 | The company completed its investigation and identified affected cardholders before sending notifications, creating additional delay between breach discovery and customer awareness. | medium |
The Bottom Line
A predictable failure · 5 points
| 01 | Slim CD’s ten-month detection failure represents a serious breach of trust for customers whose financial data the company was entrusted to protect during payment processing. | high |
| 02 | The incident exemplifies how payment processors can prioritize operational efficiency over comprehensive security monitoring, leaving consumer data vulnerable to prolonged unauthorized access. | high |
| 03 | Affected individuals now bear the burden of monitoring their financial accounts and protecting against identity theft due to security failures they did not cause and could not prevent. | high |
| 04 | This breach illustrates the urgent need for stronger data protection regulations that mandate real-time intrusion detection and impose meaningful penalties for extended security failures. | high |
| 05 | The Slim CD case demonstrates that notification alone is insufficient accountability when companies fail to maintain adequate security for sensitive payment data. | medium |
Timeline of Events
August 17, 2023
Unauthorized actors gain access to Slim CD computer systems
August 2023 – June 2024
Hackers maintain undetected access to Slim CD systems for nearly ten months
June 14-15, 2024
Unauthorized actors potentially view or obtain customer credit card information
June 15, 2024
Slim CD becomes aware of suspicious activity in its computer environment
June 15, 2024
Slim CD launches investigation and engages third-party forensic specialists through counsel
Post-June 15, 2024
Investigation identifies unauthorized system access spanning August 2023 to June 2024
Post-June 15, 2024
Slim CD reviews accessible credit card information to identify potentially affected cardholders
Post-June 15, 2024
Company implements additional safeguards and reviews data privacy and security policies
Post-June 15, 2024
Slim CD reports incident to federal law enforcement and regulatory authorities as required by law
Notification Date
Slim CD sends data breach notification letters to affected customers
Direct Quotes from the Legal Record
QUOTE 1
Ten-month detection failure
allegations
“The investigation identified unauthorized system access between August 17, 2023, and June 15, 2024.”
💡 This reveals Slim CD failed to detect hackers in its systems for nearly ten months, an extraordinary security monitoring failure.
QUOTE 2
When breach was discovered
allegations
“On or about June 15, 2024, Slim CD became aware of suspicious activity in its computer environment.”
💡 The company only discovered the breach after ten months of unauthorized access, demonstrating inadequate real-time security monitoring.
QUOTE 3
Customer data compromised
allegations
“Slim CD determined that types of information potentially impacted by this incident include your name, address, credit card number, and card expiration date.”
💡 Hackers accessed the exact combination of data needed to commit credit card fraud and identity theft.
QUOTE 4
Window of data theft
allegations
“That access may have enabled an unauthorized actor to view or obtain certain credit card information between June 14, 2024, and June 15, 2024.”
💡 Despite ten months of system access, the company can only narrow the data exfiltration window to the final two days before detection.
QUOTE 5
Reactive not proactive security
accountability
“Upon discovery of this incident, we quickly commenced a thorough investigation and took steps to implement additional safeguards and review our policies and procedures relating to data privacy and security.”
💡 Slim CD only implemented additional safeguards after the breach, proving previous security measures were inadequate.
QUOTE 6
Burden shifted to consumers
pr_machine
“We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors.”
💡 The company places responsibility on victims to protect themselves rather than offering comprehensive company-funded identity theft protection.
QUOTE 7
Minimizing language
pr_machine
“Slim CD writes to notify you of an incident that may affect the privacy of some of your information.”
💡 The company uses softening language like may affect rather than directly acknowledging that customer financial data was compromised.
QUOTE 8
Inadequate apology
pr_machine
“We apologize to you for any concern and frustration this incident may cause.”
💡 Slim CD apologizes only for concern and frustration, minimizing the serious financial fraud and identity theft risks customers actually face.
QUOTE 9
Compliance not accountability
accountability
“We also took steps to report this incident to federal law enforcement, and regulatory authorities, as required by law.”
💡 The phrase as required by law indicates Slim CD reports the breach for legal compliance rather than genuine accountability.
QUOTE 10
Role as payment processor
allegations
“Slim CD is a processing gateway that handles electronic payments, including credit card payments for US and Canadian based merchants.”
💡 As a payment gateway, Slim CD was specifically entrusted to securely handle sensitive financial data, making this breach particularly egregious.
QUOTE 11
Third-party investigation only after breach
regulatory
“Slim CD engaged, through counsel, a third-party specialist to investigate the incident.”
💡 The company hired security specialists only after discovering the breach rather than having proactive monitoring systems in place.
QUOTE 12
Empty security promise
pr_machine
“We take the confidentiality, privacy, and security of information in our possession very seriously.”
💡 This claim rings hollow given the company’s failure to detect unauthorized access for ten months.
Frequently Asked Questions
What happened at Slim CD?
Slim CD, a payment processing company, suffered a data breach where hackers had unauthorized access to their computer systems from August 17, 2023, to June 15, 2024. The company did not detect this intrusion for nearly ten months. During this time, hackers potentially viewed or obtained customer names, addresses, credit card numbers, and card expiration dates.
How long did hackers have access to Slim CD systems?
Unauthorized actors maintained access to Slim CD computer systems for approximately ten months, from August 17, 2023, until June 15, 2024, when the company finally detected suspicious activity. This extended period of undetected access demonstrates serious failures in Slim CD’s security monitoring capabilities.
What information was stolen in the Slim CD breach?
The breach potentially compromised four types of customer information: names, addresses, credit card numbers, and card expiration dates. This combination of data provides everything needed for identity theft and credit card fraud.
How did Slim CD discover the breach?
Slim CD became aware of suspicious activity in its computer environment on or about June 15, 2024. After discovering this activity, the company launched an investigation and engaged a third-party specialist through legal counsel to determine the full scope of the intrusion.
Why did it take so long for Slim CD to detect the breach?
The document does not explain why detection took ten months, but this extended timeframe indicates Slim CD lacked adequate real-time intrusion detection systems and security monitoring capabilities. The company only implemented additional safeguards after discovering the breach, suggesting previous security measures were insufficient.
What is Slim CD offering to affected customers?
Slim CD provides affected customers only with a dedicated phone line for questions and written instructions on how to monitor their own credit reports and place fraud alerts. The notification does not mention any company-funded credit monitoring services, financial compensation, or comprehensive identity theft protection.
Am I affected by this breach?
You may be affected if you used a credit card for payment at any merchant that uses Slim CD’s payment processing services. Slim CD states it reviewed accessible credit card information to identify potentially affected cardholders and is notifying those individuals directly.
What should I do if I received a notification from Slim CD?
Immediately review your credit card and bank statements for unauthorized charges. Request your free annual credit reports from Equifax, Experian, and TransUnion at annualcreditreport.com. Consider placing a fraud alert or credit freeze on your credit reports. Monitor your accounts closely for any suspicious activity. Document any fraudulent charges and report them to your financial institution and local law enforcement.
Can I sue Slim CD for this breach?
The notification letter does not address legal rights or potential lawsuits. Affected individuals may wish to consult with an attorney specializing in data breach cases to understand their legal options. Many data breach lawsuits are filed as class actions when large numbers of consumers are harmed by inadequate corporate security practices.
Did Slim CD report this breach to authorities?
Yes, Slim CD states it took steps to report the incident to federal law enforcement and regulatory authorities, as required by law. The phrasing indicates this reporting was done for legal compliance rather than voluntary disclosure.
This lawsuit is anything but frivolous imo and my opinion is very often a good one imo
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
