AIM Surplus got hacked

[sirgilligan]

I just got a letter in the mail from AIM Surplus stating that "an unauthorized person was able to gain access to certain images that had been uploaded to our website... that customers used to upload firearms license and documents for age verification..." For me this was an image of my driver's license. I called and asked them specifically what they did with this and if I recall correctly (and I think I do) they told me they looked at it to verify the order and they didn't keep it. Well, guess what, they kept it and they lost it. I am a programmer, and I asked them knowing what could happen, and they did not do what I recall they said they were going to do with the information.

They are offering a year subscription to ProtectedMyID. This type of information can be bought, sold, and traded for years to come.

Obviously I am not doing business with them ever again. I just wonder if accepting this free subscription is somehow "settling" with them so that if something does happen they are off the hook?

 

[Speedo66]

I, unfortunately, am also a customer of theirs. Haven't gotten the letter yet but probably will.

The thing is, in addition to your name, address, date of birth, and license number, with a theft from a place like AIM, they also know you're a gun owner and probably have guns at the listed address. What would that info be worth to a burglar?

 

[Warp]

I remember throwing away a random mailing from them recently...that's what it was?

Awesome

 

[DeepSouth]

I've done business with them before, and likely will again.
This is just part of doing business these days, in the end I've got bigger problems and more important things to worry about.

 

[1KPerDay]

Place gets robbed so you refuse to ever do business with them again?

 

[armoredman]

Hmm, last time I did business with them I lived in a place that literally no longer exists.

 

[barnbwt]

I think I know the ultimate solution to all this hack stuff; eventually businesses will wise up and realize it is cheaper to simply request ID at the point of sale, each time (like a brick and mortar place), and not store this information on servers accessible to the web, than it is to pay insurance companies and lawyers. Once a hard drive is unplugged and shelved, ain't no hacker in the world good enough to get into it, but the company still has legal record of the sale, if needed. Any additional electronic access beyond this is mere convenience (i.e. laziness), and will be exploited.

Imagine if the 7-11 you pump gas from keeps a bin full of everyone's credit card numbers and driver's licenses (which you need both of to buy alcohol, for instance) behind the counter, or even in a safe at the counter. Most of us would call it a needless risk of customer data if the bin was not periodically emptied and the contents stored at a more secure location than what is accessible to the public (and could be stolen if desired through a bit of illegal force)

"Hmm, last time I did business with them I lived in a place that literally no longer exists."
Brigadoon?

"The thing is, in addition to your name, address, date of birth, and license number, with a theft from a place like AIM, they also know you're a gun owner and probably have guns at the listed address. What would that info be worth to a burglar?"
*gasp* Or the government! <black helicopters>



TCB

 

[dragon813gt]

I've never done business w/ AIM. But Wideners required your DL if you wanted to purchase certain items. They were recently sold so who knows where this image is now.

 

[ny32182]

Your personal information can and will be stolen by hackers from any place online in which exists, which is a plethora...

My (and probably your) name and address can be found with any white pages search, the email address I use is a free yahoo account with a pretty decent spam filter, and my credit card (which has been stolen numerous times over the years from who knows where) is has full fraud protection.

Only way to avoid any risk would be to buy everything locally in cash. Decide if that is worth it to you; it isn't to me. You can not buy from AIM if you want, but that isn't going to help or hinder your exposure to data thieves moving forward.

 

[dragon813gt]

Name, address, phone number and CC are one thing. A copy of a government issued ID is on a whole different level. I don't worry about CC information being stolen. It's happened to many times and I'm not liable for anything. Someone getting ahold of my drivers license can do a lot of damage w/ it. This breach is beyond the usual CC information.

 

[ny32182]

What do they put on the front of your DL in your state other than all the info you just stated?

 

[dragon813gt]

Height, eye color, DOB and a picture. Having your DL stolen is a lot more harmful than a CC number.

 

[Jeff H]

Height, eye color, DOB and a picture. Having your DL stolen is a lot more harmful than a CC number.

Agreed, but in Ohio (not sure about your state) they no longer put your SS# on the DL so it isn't as damaging as it could have been.

There is only so much havoc they can create without your SS#

 

[fireman 9731]

I got the letter too. It has been a few years since I ordered and have been issued a new driver's license in the mean time. While it is a little worrisome to get a letter like that in the mail, I'm not overly concerned. What could someone do with an image of your DL anyway?

 

[sirgilligan]

I will restate, I asked about what they would do with the image of my driver's license, they did not do what they told me.

Just because they got hacked or as it has been suggested, just because a store gets robbed I am not doing business there anymore, that is a straw man argument, I never said that, and I only respond to the statement to point out that statement wasn't well thought out or is a bait and switch.

It is a breech of trust for me.

 

[Warp]

Place gets robbed so you refuse to ever do business with them again?

The problem is that they required and then stored the information making it possible to be stolen. Very few retailers do that. A photo of you driver license isn't something to just have floating around if you can help it. Shopping with almost any retailer other than AIM that isn't an issue.

 

[MechAg94]

I have seen gun dealers photocopy your driver's license for a gun sale, but it was paper only, not scanned. Of course, they could have done that also.

 

[WardenWolf]

And this is why I took the scanned image and reduced it to a low-resolution greyscale, with "For age verification purposes ONLY!" emblazoned across it in red. It's too low-res to make a viable duplicate. Also, I never updated my license with them since I moved from Arizona to Virginia 3 years ago, so the license itself is no longer valid. Still works for ordering, though.

 

[Warp]

I have seen gun dealers photocopy your driver's license for a gun sale, but it was paper only, not scanned. Of course, they could have done that also.

Are you implying that those gun dealers then entered all of those driver license photos into an online database that could be hacked?

 

[WardenWolf]

Warp, many likely use some form of electronic record-keeping. Now, whether that data is "hackable" is a good question. Obviously, anything can be compromised given the right circumstances, but it's fairly easy to mitigate those risks and / or make it far more difficult than it's worth. As long as the machine it's stored on isn't used for web services in any way and isn't used for general web browsing, it's fairly safe from remote threats. If they take the proper step of encrypting things, it's pretty rock-solid there, too.

 

[DeepSouth]

Height, eye color, DOB and a picture. Having your DL stolen is a lot more harmful than a CC number.

I'm not being sarcastic, but How?

Everyone I've ever meet knows what I look like, there's almost certainly a picture of me online that someone other than me put there. And my birthday has been broadcast on the radio before, it's even put on a billboard every year at work, along with 500ish other people's.

I'm not saying your wrong, I have no idea, I just don't see how it's that much different.

 

[morcey2]

I'm not being sarcastic, but How?

Everyone I've ever meet knows what I look like, there's almost certainly a picture of me online that someone other than me put there. And my birthday has been broadcast on the radio before, it's even put on a billboard every year at work, along with 500ish other people's.

I'm not saying your wrong, I have no idea, I just don't see how it's that much different.

A big part of it is that most credit card companies and banks have people and computers monitoring card usage patterns for anomalies and potential fraud. They're getting pretty good at it. There is nothing of the sort monitoring Drivers License # usage. It's also very easy to cancel a credit card and get a new number which puts an end to the use of that card. It's nigh unto impossible to change your DL # in most states.

I got the letter also and I'm probably going to sign up for lifelock or something like it instead of just credit monitoring, which I already have.

Matt

 

[Ryanxia]

I received the letter too. Their policy was a horrible one, requiring you to scan your DL. It was almost enough for me not to initially do business with them. Other sites don't have this requirement. And now look what happened.

I've spoken to someone over there and they weren't specific about how they are doing it moving forward but said they are not having you upload your DL anymore.

 

[Prince Yamato]

I have been a victim of identity theft. Including SSN. In all honesty, this can happen anywhere. The magnetic strip on your DL contains the same info as on the front and there are portable strip machines that can be inserted to steal DL info. In short, it's almost impossible to prevent theft. Unless you are someone important and worth money, they'll probably just delete or throw your data out. Most of the hackers are in Russia or China and they don't really care where you live. They're not coming to your house. They might care about your bank account. Just look for little charges (like iTunes and Amazon music, that's how they ping you).

Don't sweat it and just watch your financial accounts.

 

[Warp]

I have been a victim of identity theft. Including SSN. In all honesty, this can happen anywhere. The magnetic strip on your DL contains the same info as on the front and there are portable strip machines that can be inserted to steal DL info. In short, it's almost impossible to prevent theft. Unless you are someone important and worth money, they'll probably just delete or throw your data out. Most of the hackers are in Russia or China and they don't really care where you live. They're not coming to your house. They might care about your bank account. Just look for little charges (like iTunes and Amazon music, that's how they ping you).

Don't sweat it and just watch your financial accounts.

Those portable machines needs to get kind of close, and a little foil in the wallet can go a long way.

And no, you don't have to be important for that information to be useful/used.

Is your picture in the magnetic strip? Wait, what magnetic strip? My DL doesn't have one of those.