Customers of many regional freight forwarders rushed to call their banks after their debit and credit card information was compromised in a data breach affecting Aeropost Inc.
Aeropost emailed customers on Sunday saying their credit cards may have been compromised. He said that “While our systems securely store your credit card information encrypted, it is possible that law enforcement may attempt to execute transactions.”
Aeropost is an integrated e-commerce provider that provides end-to-end services in 38 countries in Latin America and the Caribbean. It has been around since 1988 and operates a 177,000 square foot international logistics center at its headquarters in Miami, Florida.
To further protect its customers, it reset the credentials of all system users and deleted all credit cards stored in its system. The company also encouraged users to check their credit card statement and request a replacement credit card. This prevented users from checking the status of their orders and whether they reached the Miami address.
As Aeropost notified customers on Sunday, many users in the region reported transactions being made with their cards on various websites they had never seen before.
On Twitter, a user from the Bahamas asked how his bank’s fraud detection system failed to block his card when 22 transactions of $112 each were made, totaling $2,464 ($381,920). A Jamaican user on instagram said she was charged eight times US$100 because fraudsters used her card details on different online websites.
A user shared a screenshot of an attempted transaction on a Japanese website second street online for ¥20,460 ($20,684.47) who was blocked because his card was blocked. A common website reported by many users is Apple Inc. the common trading day being April 20.
Users in Costa Rica, Barbados, Peru, El Salvador, and Trinidad and Tobago have also reported that their cards have been compromised.
Mailpac Group Limited uses Aeropost to process orders sent to the Miami address before they travel to Jamaica and ultimately to their stores for collection.
“We regret to confirm that there was a short-lived data breach on the technology platform operated by Aeropost, resulting in the compromise of some customers’ credit cards. Fortunately, we were able to neutralize the breach and have made our platform more secure to prevent it from happening again in the future,” a post on Mailpac said. Twitter page.
A full stack developer on Twitter explained the significance of the violation.
“[It] Seems they also stored CVV and full card number and other customer information to validate transactions. Cipher cipher probably used [was] so weak. Disappointing security practices and major loss for customers,” the developer said.
Another user explained that while the card data might have been encrypted, it probably wasn’t hashed, which would have replaced the information with a hash code. He also mentioned that card information should not be stored on a website and more money should be spent on data security.
This was backed by software developer Khary Sharpe who tweeted a recommendation for other developers to tokenize or plain text payment information. Sharpe pointed out how this violation of payment card industry compliance can result in fines from the many jurisdictions in which they operate. The breach left many users waiting for new cards issued by their banks.
Sharpe pointed out that he does not save card information on any website unless it is a subscription and it is required. He also encouraged everyone to turn on text, email and app notifications from their bank and use a password manager to generate strong passwords and ensure they don’t reuse them.
Aeropost’s former cross-border casillero and marketplace business was sold by Nasdaq-listed Pricemart Inc in October to Bahamian Click to Collect Company Limited. Pricemart received US$4.96 million as proceeds from the transaction and recorded a pre-tax gain of US$2.7 million. Pricemart retained the services of key personnel from Aeropost and provided US$2 million of logistics services to Pricemart for 36 months. Pricemart originally acquired it in March 2018.
This is the latest blow to freight forwarding businesses in the Caribbean after Amazon Inc on Feb. 27 blocked users from sending their orders to addresses provided by their freight forwarders. This included local companies like Rocketship, Reliable Courier, ShipMe and Packit4u, while Trinidad and Tobago companies included CSF and Web Source. The issue was apparently resolved a few days later. Mailpac was one of the unaffected local businesses.
In addition to apologizing for the violation, Aeropost encourages users to send additional questions to [email protected].