The Tribune

By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

The e-commerce platform owned by Sebas Bastian yesterday said only 6 percent of customers were impacted by a recent data breach as it sought to reassure that all necessary measures are being taken to rectify the problem.

Aeropost, in a statement to Tribune Business, did not provide a gross figure for how many clients’ credit card details may have been compromised. Given its pan-regional client base across The Bahamas, Caribbean and Central America, that 6 percent could potentially represent hundreds - if not several thousand - customers.

Explaining what occurred, Aeropost said: “Over the weekend we received reports of fraudulent activity involving Aeropost customer credit cards. Although our systems keep all customer information encrypted and under a PCI certified zone, our security monitoring protocol identified unusual activity on a server used for file management. The server we identified as being exposed to a potential breach accounted data for 6 percent of our customers.

“We are committed to protecting every one of our customers personal data and are therefore taking these precautionary measures to eliminate any additional risk to our customers.” The e-commerce platform detailed five specific steps taken to remedy the breach, mitigate risk and inform those who had been impacted.

“We disabled the breached server and the data transmission services that included it,” the company added. “We deleted all login credentials in our systems (passwords) and payment information. We opened collaborative channels with banking and governmental entities in order to identify the attackers and protect our customers from fraudulent charges.

“We contacted via e-mail all customers who may have been affected and asked them to take additional steps to review their account statements and request replacement cards from their banks. We created a specialised contact team to individually assist each affected customer.”

Aeropost said it was working with card issuing banks to try and reduce the fees and administrative costs associated with ordering new credit and debit cards. “Banks require each cardholder to contact them directly,” it added. “In the same way, we understand that our customers have concerns related to fraudulent charges. Card issuers are familiar with cases like these and have pre-established protocols in place to eliminate such charges and protect the cardholder...

“We reiterate our commitment to continually ensuring each of our customers’ data is protected.” Tribune Business first revealed the data breach on Monday. It is understood that the data breach affects many more countries and nationalities than The Bahamas. 

Hacks/data breaches are the main achilles heel or weak point for companies involved in the digital economy, including e-commerce platforms such as Aeropost. The theft of personal financial data exposes customers to both identity theft and financial loss, with their bank accounts pillaged and credit histories compromised. For the companies it involved, it can completely undermine a business model that relies on electronic security to build trust and confidence.

In its initial client alert, Aeropost said: “We regret to inform you that the credit card we have on file may have been compromised in a recent data breach. Although our systems safely store your card information encrypted, it may be possible that enforcers [hackers or fraudsters] attempt to run transactions.

“To prevent further damage from being done, we recommend the following. Check your credit card statement for fraudulent transactions and report them to the credit card issuer [and] request a replacement card. As a preventative measure, we have reset your Aeropost account credentials and deleted your credit cards stored in our system. Aeropost will never ask you for personal information in e-mails related to this incident. We apologise for any inconvenience this incident may cause.”

Bahamians were on Sunday already reporting having become the victim of fraudulent transactions as a result of the Aeropost data breach. “Has anyone else received an e-mail regarding a data breach and possible compromised card from Aeropost?” one wrote on Facebook yesterday. “Follow up: As I am on hold attempting to block my card, a fraudulent charge came through. I suggest everyone checks their card.”

Mr Bastian, the Island Luck co-founder, unveiled ambitions for Aeropost to become an “Amazon-like” presence among 60m consumers across the Caribbean, Latin American and Central American region when he confirmed his acquisition of the e-commerce platform in early December 2021.

At the time, he said Aeropost will be a vehicle that allows small businesses to sell their products online through its portal while offering “the lowest bar” to market. Describing what differentiates it from its competitors, Mr Bastian said it will direct sell as well as acting as a middleman between other vendors and consumers. The Bahamas has become the latest addition to the 38 territories it already services.

“We have our own catalogue where we have direct seller relationships,” he added. “We also have an integration with some of the major retailers; one is Amazon. And if you can’t find what you’re looking for on our catalogue and our search bar, you can copy and paste the link from any website.

“So if you’re browsing on Google or Amazon, when you see a product you can just copy the product link, paste it in Aeropost’s search bar, hit the search button, and in seconds you will be presented with a fully landed price of that actual item. So, in that short space of time, it is actually calculating the shipping costs, the duty costs and the delivery costs into those regions.”

Aeropost allows merchants to post their items on the platform’s catalogue, and arrange for their shipping and delivery to purchasers. Consumers will be able to pick up their goods from its main fulfilment centre, or any Esso service station