Malware was discovered to have been active for almost all of 2016.
The Register explains:
Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos.
The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we're told.
Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos' customers – the retailers whose websites were infected by the malware on the backend provider's servers.
According to these stores, which have had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016.