Customers of numerous regional freight forwarders were left scrambling to call their banks after their debit and credit card information was compromised in a data breach affecting Aeropost Inc.
Aeropost sent out an e-mail on Sunday to customers that their credit cards might have been compromised. It stated that, “Although our systems safely store your credit card information encrypted, it may be possible that enforcers attempt to run transactions.”
Aeropost is an integrated e-commerce provider that supplies end-to-end services across 38 countries in Latin America and Caribbean. It’s been in existence since 1988 and operates a 177,000 square foot international logistics hub at its headquarters in Miami, Florida.
In order to protect its customers further, it reset the credentials of all users in the system and deleted all credit cards stored in its system. The company also encouraged users to check their credit card statement and request a replacement credit card. This has left users unable to check the status of their orders and if they have reached the Miami address.
While Aeropost informed customers on the Sunday, numerous users across the region reported that transactions were being done with their cards on various websites they have never seen before.
On Twitter, one Bahamian user queried how his bank’s fraud detection system failed to block his card when 22 transactions for US$112 each went through, totalling US$2,464 ($381,920). A Jamaican user on Instagram said she was charged US$100 eight times as fraudsters used her card details at different websites online.
One user shared a screenshot of an attempted transaction on Japanese website Second Street Online for ¥20,460 ($20,684.47) which was blocked since his card was kept frozen. A common website reported by many users is Apple Inc with the common day of transactions being April 20.
Users in Costa Rica, Barbados, Peru, El Salvador, and Trinidad and Tobago also shared that their cards have been compromised.
Mailpac Group Limited uses Aeropost to process orders sent to the Miami address before it is routed to Jamaica and ultimately their stores for pick up.
“We regret to confirm that there was a short-lived data breach on the technology platform operated by Aeropost, resulting in some customer credit cards being compromised. Fortunately, we have been able to neutralise the breach and have further secured our platform to prevent recurrence in the future,” said a post on Mailpac’s Twitter page.
A full stack developer on Twitter explained the significance of the breach.
“[It] appears they also stored the CVV and the full card number along with other customer information allowing transactions to be validated. Likely encryption cipher used [was] also weak. Disappointing security practices and major loss for customers,” the developer said.
Another user explained that although the card data might have been encrypted, it likely wasn’t hashed, which would have substituted the information with a hash code. He also mentioned how card information shouldn’t be stored on a website and how more money needs to be spent on data security.
This was supported by software developer Khary Sharpe who tweeted a recommendation that other developers tokenise or plain text payment information. Sharpe highlighted how this payment card industry compliance breach may attract fines from the numerous jurisdictions in which they operate. The breach has left many users waiting to be issued new cards by their banks.
Sharpe pointed out that he doesn’t save card information on any website unless it’s a subscription and is required. He also encouraged everyone to turn on SMS, e-mail and app notifications from their bank and use a password manager to generate strong passwords and ensure they don’t reuse them.
The legacy cross border casillero and market place business of Aeropost was sold by Nasdaq-listed company Pricesmart Inc in October to Bahamian Click to Collect Company Limited. Pricesmart collected US$4.96 million as proceeds from the transaction and booked a pre-tax gain of US$2.7 million. Pricesmart retained key Aeropost personnel and provided US$2 million of logistical services to Pricesmart for 36 months. Pricesmart originally acquired it in March 2018.
This is the latest hit to freight forwarding businesses in the Caribbean after Amazon Inc blocked users on February 27 from sending their orders to addresses provided by their freight forwarders. This included local firms like Rocketship, Reliable Courier, ShipMe and Packit4u, while Trinidadian and Tobago firms included CSF and Web Source. The issue was apparently resolved some days later. Mailpac was one of the unaffected local firms.
Apart from apologising for the breach, Aeropost is encouraging users to send additional questions to firstname.lastname@example.org.