The Tribune

By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

Sebas Bastian’s regional e-commerce platform yesterday revealed it has been hit by a data breach that “compromised” the credit card information of Bahamians and other nationalities across the Caribbean and Latin America.

Aeropost, in a message released to customers early yesterday morning, gave no indication of what caused the breach and whether it had been hacked, or how many cardholders had been impacted. It advised all to check their financial statements for “fraudulent transactions” and to request replacement cards from their bank and financial provider. Thus a hack appears likely.

In an alert entitled Your credit card may have been compromised, Aeropost warned clients: “We regret to inform you that the credit card we have on file may have been compromised in a recent data breach. Although our systems safely store your card information encrypted, it may be possible that enforcers [hackers or fraudsters] attempt to run transactions.

“To prevent further damage from being done, we recommend the following. Check your credit card statement for fraudulent transactions and report them to the credit card issuer [and] request a replacement card. As a preventative measure, we have reset your Aeropost account credentials and deleted your credit cards stored in our system. Aeropost will never ask you for personal information in e-mails related to this incident. We apologise for any inconvenience this incident may cause.”

Bahamians yesterday, though, were already reporting having become the victim of fraudulent transactions as a result of the Aeropost data breach. “Has anyone else received an e-mail regarding a data breach and possible compromised card from Aeropost?” one wrote on Facebook yesterday. “Follow up: As I am on hold attempting to block my card, a fraudulent charge came through. I suggest everyone checks their card.:”

Another wrote: “I received an e-mail from them early this morning about that as well.” Given the sensitivity of the situation, with personal financial data involved, Tribune Business is withholding the identities of those involved in the exchange although it knows who they are.

Jayme Pinder, Aeropost Bahamas marketing manager, confirmed both the data breach and consumer warning were genuine. “We did have an issue with that. We sent out a warning to customers at 5am this morning,” she said.

However, she declined to comment further. Both Ms Pinder and Gershan Major, Aeropost Bahamas’ senior executive, referred this newspaper to Jose Carlos Acuna, the company’s regional PR chief, who did not respond to Tribune Business and the detailed list of questions sent to him before press time. 

This newspaper had asked for details on the nature of the data breach, how long it had existed before it was uncovered. Details on how many customers’ personal financial data has been compromised were also requested, along with how many countries and markets were affected. Information was also sought on what Aeropost has done to remedy the breach, and how it plans to regain the trust and confidence of clients.

It is understood that the data breach affects many more countries and nationalities than The Bahamas. It is thought Aeropost will likely release a statement on the matter today.

Hacks/data breaches are the main achilles heel or weak point for companies involved in the digital economy, including e-commerce platforms such as Aeropost. The theft of personal financial data exposes customers to both identity theft and financial loss, with their bank accounts pillaged and credit histories compromised. For the companies it involved, it can completely undermine a business model that relies on electronic security to build trust and confidence.

Mr Bastian, the Island Luck co-founder, unveiled ambitions for Aeropost to become an “Amazon-like” presence among 60m consumers across the Caribbean, Latin American and Central American region when he confirmed his acquisition of the e-commerce platform in early December 2021.

At the time, he said Aeropost will be a vehicle that allows small businesses to sell their products online through its portal while offering “the lowest bar” to market. Describing what differentiates it from its competitors, Mr Bastian said it will direct sell as well as acting as a middleman between other vendors and consumers. The Bahamas has become the latest addition to the 38 territories it already services.

“We have our own catalogue where we have direct seller relationships,” he added. “We also have an integration with some of the major retailers; one is Amazon. And if you can’t find what you’re looking for on our catalogue and our search bar, you can copy and paste the link from any website.

“So if you’re browsing on Google or Amazon, when you see a product you can just copy the product link, paste it in Aeropost’s search bar, hit the search button, and in seconds you will be presented with a fully landed price of that actual item. So, in that short space of time, it is actually calculating the shipping costs, the duty costs and the delivery costs into those regions.”

Aeropost allows merchants to post their items on the platform’s catalogue, and arrange for their shipping and delivery to purchasers. Consumers will be able to pick up their goods from its main fulfilment centre, or any Esso service station.

Mr Bastian raised nearly $19m from investors to finance the Aeropost acquisition via Click Partners LP, a British Virgin Islands (BVI) domiciled limited partnership described in promotional material as a “digital, e-commerce, logistics and operations expert”.

A release announcing the Aeropost purchase identified a Canadian, Toronto-based entrepreneur called Adam Arviv as Mr Bastian’s partner in Click Bahamas. Research by this newspaper indicated that the two men come from similar backgrounds, with Mr Arviv named in Internet reports as one of the founders of Bragg Gaming, a gaming technology and content provider.

He was said to have left that company last year. Meanwhile, Mr Bastian was said to have been advised on the Aeropost deal by Simon Legge, who was identified on the SEC filing as a “director of the general partner”. A person of the same name is identified as Bragg Gaming’s head of mergers and acquisitions on their LinkedIn page.

Aeropost was billed as having payment methods that allow consumers to buy US-sourced merchandise, with the acquisition combining its logistics and shipping operations with Click Partners’ smart locker technology. It was also said to be handling $400m worth of cross-border commerce annually. Click Partners bought Aeropost from Nasdaq-listed PriceSmart.