EDITED: This is intended as both a warning to other customers and (as other members point out below) a reminder to never share your ID info with people who don't actually need it (e.g. Not required for online ammo purchases!)

I received a notice in the mail yesterday regarding a data breach on their website. Evidently, on April 4, 2016, an unauthorized person was able to gain access to certain images that had been uploaded to the website, namely photographed driver's licenses used by AIM to verify age for online ammo sales. Photos of customers' driver's license or other photo ID were compromised. Be warned, especially if you have your SSN on the ID you used! According to AIM, no order or payment information was compromised. The full text of the letter is below, with my PII edited out.

Page 2 of the letter is a code to use for free 3rd party ID protection for 12 months.

http://i64.tinypic.com/r8fnf6.jpg

Note to mods: If this fits better somewhere other than General Discussion, please relocate.

Think I ordered ammo once but they wanted a driver's license so it was easier to buy elsewhere.

Yeah, I ordered from them because at the time, they were the only vendor that had the ammo I wanted in stock. I've only run into one other vendor that wanted I.D., and that was for ammo marked "LEO/mil only".

I worry more about my DOB than my SS number.

There are seversl retail companies whom request a photo ID for ordering from them. No thanks, I'll pass and do.

An example for being guarded with your personal identification or credentials. Identity theft and fraud is a major problem.

It's good that Aim Surplus had the integrity to come clean about what happened, but more should be done to prevent it from happening in the first place.

Everyone should be checking their credit regularly, because it can be done at least once per year for free. I think at least two to three times per year is better.

I have been identity thieved and it is a royal pain to deal with afterwards.

Why on earth wouldn't they verify the DOB and mark the users account as good to go, then promptly securely delete the ID image? Common sense...

I have to admit, I've been happy with the service from AIM in the past, and will probably continue to keep them on my list of GTG vendors. That's still one hell of a slip.

I got that letter too. While I feel bad and angry, even the IRS system got hacked and SS # and other info were breached.

I have a state certification consisting of even the most basic IT security knowledge and even I know that there are two huge factors where AIM ****ed up.

1) Keeping more info than they need to. There is no law to require ID from purchasers and there is no law to retain that info.

2) Not encrypting sensitive info and keeping it offline.

Prompt response earned your business? Good for you OP. You misunderstand even the most basic facets of Internet security. AIM ****ed up, big time. Their whole "prompt response" and "free security monitoring" is merely common practice for this type of thing.

FYI I got the letter too.

Do you even Air-Gap, bro?

Got the letter too. Not happy about it.

I want a lot more answers than were in that BS letter!

I want a lot more answers than were in that BS letter!
This, I will be calling Monday morning

I received the letter as well. I can file it with the letters about security breaches I receive every two to three years from the VA when they foul up.

I also got the letter, and I'm not thrilled that they did not do what Stormin and Eurodriver said. Just put a Yes flag in a database field, and delete the DL image, thankyouverymuch.

Jeez, I do this shit for a living, it's just not that hard to figure out. But when you trust outsourced services, you frequently find out who the weakest link is.

I'm already on a 3-year freebie thanks to OPM's data breach nightmare last year (don't even get me started :mad:),

yeah after OPM gave away my entire life story the only way it could be worse would be if someone went all Buffalo Bill, tracked me down and skinned me to steal my identity. so I really don't worry much about data breaches any more...

Total kicker on the OPM breach is that they also lost my wife's info, i guess from my SF-86, and the code the sent for monitoring was completely nonfunctional. Brilliant .gov, brilliant...

EDITED: That was disrespectful. Sorry.

Easy, my friend. I don't think Euro was accusing anybody of having an ugly baby. I do think that a lot of folks are really tired of getting letters like that in the mail. I sure am.

I have 16 IT certifications. The majority of them are security related. I get paid to both prevent and clean up breaches like the one you mentioned. The vast majority are preventable. I have only seen two that were not.

It's definitely a good thing to make people aware of security breaches as you did. The challenge is that people get so pissed that the tone sounds like "shoot the messenger".

Last week, the credit card companies issued new standards (PCI-DSS 3.2). These have more teeth in them than before.

https://www.pcisecuritystandards.org/pci_security/

But a lot of companies outsource their payment and compliance efforts. That's where stuff gets sticky. Security costs money, and the money usually comes only after a breach.

Fair enough. I deserve what I get for posting that after a long day and a couple of whiskies. My apologies if any feelings were hurt.

I'm sick of letters in the mail too, and learning has occurred for me. I'm calling another vendor today to verify that they deleted my ID photo. If they haven't, I'll ask them to delete my entire account.

In the telecom industry, we have a type of information called CPNI, or Customer Proprietary Network Information. The last penalty I saw for losing CPNI was around $10k per customer, and something like 5 years regulatory oversight. Its pretty clear that private industry doesn't care about security at all, and it won't until it hurts. As much as I hate government intervention and regulation, I hate losing my data and getting a paltry "one year's free credit monitoring" more. I suspect if all C-level executive pay was confiscated for the year a breach occurred and put into a fund to provide restitution to the victims, security would suddenly become a bigger deal.

Security costs money, and the money usually comes only after a breach.

Even then, I've seen more than one study indicating that customers don't change their spending habits after a breach, and it has minimal financial impact on the company itself. It seems easier to pay for the fallout right now than it is to come up with comprehensive security plans, unfortunately.

I haven't gotten the letter yet, but then again I haven't ordered ammo from AIM in over two years. I wonder if this problem only goes back so far in time?

Called and cancelled account today...

SeriousStudent can you explain how my driver license was at risk an not my cc information?? Thanks in advance, I'm very green in this area...

Couple of things of note here:
1) Agree that they screwed this up. No need to keep personally identifiable information like drivers licenses.
2) I have an internet only card I use to buy stuff. Makes it easier to manage risk that way.
3) One year credit monitoring is totally inadequate. Many hackers know that their victims will get credit monitoring for a year so they don't start building out false credit under your name until that year is over. That is why South Carolina extended their monitoring for 3 years after their data breach.

This is the sign of the times. Just like you have health insurance and car insurance, you really need to have some sort of credit watch/identity theft monitoring. My wife has been hacked through work. My health insurance provider got hacked. The state of SC got hacked, and the federal employee database got hacked. I have stopped counting...

Called and cancelled account today...

SeriousStudent can you explain how my driver license was at risk an not my cc information?? Thanks in advance, I'm very green in this area...

It all depends on what info is where and which systems and servers the hacker gained access to. Credit card info maybe stored on a different server or a different location all together. The hacker may have gotten into the server that stores the DL images but not been able to find or access the server with billing info. PCI standards are pretty strict and specific about CC info.

Without more info regarding the breach, we can't definitively say how hacker was only able to access DLs.

Grand scheme of things, I would have rather had them get CC info vs the DLs.

Things like this are why I maintain multiple false identities.

Couple of things of note here:
1) Agree that they screwed this up. No need to keep personally identifiable information like drivers licenses.
2) I have an internet only card I use to buy stuff. Makes it easier to manage risk that way.
3) One year credit monitoring is totally inadequate. Many hackers know that their victims will get credit monitoring for a year so they don't start building out false credit under your name until that year is over. That is why South Carolina extended their monitoring for 3 years after their data breach.

I put my credit on hold for free with TransUnion. You can simply go to their website and your credit is frozen for 90 days. You can then extend it indefinitely from what I understand.



This is the sign of the times. Just like you have health insurance and car insurance, you really need to have some sort of credit watch/identity theft monitoring. My wife has been hacked through work. My health insurance provider got hacked. The state of SC got hacked, and the federal employee database got hacked. I have stopped counting...


I agree. I have Zander insurance and will be signing up for LifeLock when my next credit card billing cycle closes.

I haven't received the letter yet, and I've done quite a bit of business over the years and even this year with AIM Surplus. Anyone can get hit, look at Target. Heck, even my local dentist had a robbery where they stole his computers. I can't contol what a criminal did to AIM Surplus. I will continue to do business with them, and I will be vigilant on my personal accounts. What Doc Glockster posted about TransUnion is good, and I will look into that. So far all my accounts are good. Who knows what the future holds for any of us. I personally have no problem with AIM covering their butts by insisting on drivers license information when purchasing ammunition.

I haven't received the letter yet, and I've done quite a bit of business over the years and even this year with AIM Surplus. Anyone can get hit, look at Target. Heck, even my local dentist had a robbery where they stole his computers. I can't contol what a criminal did to AIM Surplus. I will continue to do business with them, and I will be vigilant on my personal accounts. What Doc Glockster posted about TransUnion is good, and I will look into that. So far all my accounts are good. Who knows what the future holds for any of us. I personally have no problem with AIM covering their butts by insisting on drivers license information when purchasing ammunition.

That's the problem. They covered nothing by requiring that information, and in fact put their customers at risk.

That's the problem. They covered nothing by requiring that information, and in fact put their customers at risk.

They also require a copy of my 03 C&R FFL for me to purchase C&R eligible firearms, which was also information that was stolen. All dealers require that by federal law. I like the fact I can upload it. That makes it easier and quicker for me, and I can confirm immediately that they have it.

Come on, don't act coy. You and I and everyone else in the world knows why they require a drivers license on file for online ammo sales. Federal law may not require it, but in the event some idiot buys ammo online to do something bad with it at least they can say they did their best to verify that persons legality to purchase it. I have no idea what their local or state law says about online ammo purchases, do you? Again, hacks happen to everyone, even our beloved US government. I can't control the criminals, and neither can they. Life goes on, and I'll be vigilant. That's all I can do. I certainly will still do business with AIM Surplus too. They've always treated me right, and have very good pricing especially on holiday sales.

Others can do as they see fit, and I understand their want and right to do so.

I got that letter too. While I feel bad and angry, even the IRS system got hacked and SS # and other info were breached.

That was OPM, everyone working for the feds got hit with that one.

That was OPM, everyone working for the feds got hit with that one.

Try again:

http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/

They also require a copy of my 03 C&R FFL for me to purchase C&R eligible firearms, which was also information that was stolen. All dealers require that by federal law. I like the fact I can upload it. That makes it easier and quicker for me, and I can confirm immediately that they have it.

Come on, don't act coy. You and I and everyone else in the world knows why they require a drivers license on file for online ammo sales. Federal law may not require it, but in the event some idiot buys ammo online to do something bad with it at least they can say they did their best to verify that persons legality to purchase it. I have no idea what their local or state law says about online ammo purchases, do you? Again, hacks happen to everyone, even our beloved US government. I can't control the criminals, and neither can they. Life goes on, and I'll be vigilant. That's all I can do. I certainly will still do business with AIM Surplus too. They've always treated me right, and have very good pricing especially on holiday sales.

Others can do as they see fit, and I understand their want and right to do so.

Not being coy at all. There is no legal requirement for them to have that on file. What if they asked you for a copy of your social security card/number? Would you also provide that? If not, why not?

They also require a copy of my 03 C&R FFL for me to purchase C&R eligible firearms, which was also information that was stolen. All dealers require that by federal law. I like the fact I can upload it. That makes it easier and quicker for me, and I can confirm immediately that they have it.

Come on, don't act coy. You and I and everyone else in the world knows why they require a drivers license on file for online ammo sales. Federal law may not require it, but in the event some idiot buys ammo online to do something bad with it at least they can say they did their best to verify that persons legality to purchase it. I have no idea what their local or state law says about online ammo purchases, do you? Again, hacks happen to everyone, even our beloved US government. I can't control the criminals, and neither can they. Life goes on, and I'll be vigilant. That's all I can do. I certainly will still do business with AIM Surplus too. They've always treated me right, and have very good pricing especially on holiday sales.

Others can do as they see fit, and I understand their want and right to do so.

Sgammo doesn't require my DL on file. I buy from them all the time and they just got more of my business.

Feel free disseminating your PII all over the internet to companies that obviously don't utilize even the most basic internet security protocols.

P.S. SGAMMO is consistently cheaper, with a wider variety, of ammunition sales than AIM Surplus.

I personally have no problem with AIM covering their butts by insisting on drivers license information when purchasing ammunition.

Neither do I. And if their website/storage server was encrypted (or they just got rid of the information after checking it) it would not be an issue. But they obviously didn't, and they obviously didn't give a shit about your safety because encrypting PII would literally have costed AIM about $0 in software and 20 minutes of a college MIS student's time.

I've got my personal hard drive partitioned and then encrypted with a second, hidden drive. You literally couldn't find it if you're the FBI. And I got the software from Google. But AIM just has tens of thousands of DL's chilling on some dude's computer? Piss poor concern for customer safety.

What AIM did is the equivalent of your LGS scanning into PDF readable documents every single 4473 and then uploading it to a dropbox account. Unnecessary and unsecure.

It all depends on what info is where and which systems and servers the hacker gained access to. Credit card info maybe stored on a different server or a different location all together. The hacker may have gotten into the server that stores the DL images but not been able to find or access the server with billing info. PCI standards are pretty strict and specific about CC info.

Without more info regarding the breach, we can't definitively say how hacker was only able to access DLs.

Thanks-

Come on, don't act coy. You and I and everyone else in the world knows why they require a drivers license on file for online ammo sales. Federal law may not require it, but in the event some idiot buys ammo online to do something bad with it at least they can say they did their best to verify that persons legality to purchase it. I have no idea what their local or state law says about online ammo purchases, do you?

Totally understandable. They want to do what they can to mitigate risk of lawsuit. Encrypt the data and/or dump it to an offline storage space.

Mitigating legal risk is not an excuse for piss poor infosec of sensitive customer data. You can rationalize collecting and keeping the DLs, you can't rationalize how they stored it.

I've had credit card fraud like 5 or 6 times over the last decade or so. It makes me want to find the slimy pieces of shit and break their fingers myself, one by one, with a ballpeen hammer and do it slowly so I can hear them scream and see them suffer. Yeah, I really fvcking mean it. If these scummy, sub-human assholes spent half the time and effort trying to make a legitimate living they'd succeed. I really really really hate these thieving SOB's.

Totally understandable. They want to do what they can to mitigate risk of lawsuit. Encrypt the data and/or dump it to an offline storage space.

Mitigating legal risk is not an excuse for piss poor infosec of sensitive customer data. You can rationalize collecting and keeping the DLs, you can't rationalize how they stored it.

This I can not disagree with. I would assume they're like any other company who outsources their website. They don't know there's a problem until one rears it's ugly head. If they did know there could be a potential problem then that's a different story. I know the company I used to work for just paid a company to host and design most of the website we had. We could do custom pages, but for the most part the website was sourced by another company. I do not claim to be a the most knowledgeable tech/technology saavy guy either so bear with me.

I agree with you ABNAK. They need their hands and tongues cut off.

This I can not disagree with. I would assume they're like any other company who outsources their website. They don't know there's a problem until one rears it's ugly head. If they did know there could be a potential problem then that's a different story. I know the company I used to work for just paid a company to host and design most of the website we had. We could do custom pages, but for the most part the website was sourced by another company. I do not claim to be a the most knowledgeable tech/technology saavy guy either so bear with me.


A business has to keep in mind, it's their reputation at stake. If a business trusts an outside web hosting service to store sensitive info and it's compromised, the customer is soured to the business not the 3rd party. Outsourced services can be great for bottom lines and efficiency, but they have to be used wisely.

Try again:

http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/

Mine is bigger...

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

Neither do I. And if their website/storage server was encrypted (or they just got rid of the information after checking it) it would not be an issue. But they obviously didn't, and they obviously didn't give a shit about your safety because encrypting PII would literally have costed AIM about $0 in software and 20 minutes of a college MIS student's time.

I've got my personal hard drive partitioned and then encrypted with a second, hidden drive. You literally couldn't find it if you're the FBI. And I got the software from Google. But AIM just has tens of thousands of DL's chilling on some dude's computer? Piss poor concern for customer safety.

What AIM did is the equivalent of your LGS scanning into PDF readable documents every single 4473 and then uploading it to a dropbox account. Unnecessary and unsecure.
Tell us more about this encryption software with links if possible.

Please and thank you

Sent from my XT1585 using Tapatalk

Homeboy's super spy, hide everything software is ok but not great. I'm an old Fudd, and I hacked his second, third, and fourth partition long ago. To this day I continue to enjoy his fat chick with dense underarm hair collection. :secret: :dirol:

I have been unable to use the free protectmyid program yet.

It says
Please enter a valid activation code. Verify the characters you are entering. Verify the code you are entering matches what is on the notification you received.

What am this IT Dummy doing wrong?

I have been unable to use the free protectmyid program yet.

It says

What am this IT Dummy doing wrong?

Top off your hard drive fluid.

But seriously, entering a password or key either works or it doesn't. Triple check you're typing it in correctly, watch caps lock. If it doesn't go, it may be an invalid key.

Homeboy's super spy, hide everything software is ok but not great. I'm an old Fudd, and I hacked his second, third, and fourth partition long ago. To this day I continue to enjoy his fat chick with dense underarm hair collection. :secret: :dirol:

Prior service Navy? Just a guess by an old swab handle.

Tell us more about this encryption software with links if possible.

Please and thank you

Sent from my XT1585 using Tapatalk

https://sourceforge.net/projects/truecrypt/files/TrueCrypt/TrueCrypt-7.2.exe/download

I installed the previous version which was by and large considered impenetrable (if you're familiar with how encryption works, you'd know this is very possible). However, the newer version is no longer "as secure" for future installations but you have to take that into context.

Can the FBI break into it by spending hundreds of thousands of dollars and thousands of hours? Maybe.

Is your DD214 secure from identity theft by some low level hackers with time on their hands? No question.

Source with 2 independent audit results: https://www.intego.com/mac-security-blog/truecrypt-has-been-audited-should-you-use-it/

AIM Surplus could have easily encrypted all of this information in a half hour and never had this issue.

Regarding TrueCrypt, here's more info. Worth noting that the original developers are recommending to use something else as they are no longer actively maintaining the software.

https://en.m.wikipedia.org/wiki/TrueCrypt

So AIM is lax in their protection of our personal information. What other online vendors including those that advertise on this site that are not using higher level of protection against hacking and evil doers?

Mundane question: I know for certain that my DL and dealer's FFL were uploaded to AIM on their website, though several years ago. I have not received any letter from them. Does AIM have a dedicated "data breach" contact email? Is anyone else in this situation?

So AIM is lax in their protection of our personal information. What other online vendors including those that advertise on this site that are not using higher level of protection against hacking and evil doers?

The main things we see with a lot of online retailers is that they hold peoples CC info (on their server). We use an encrypted third party to process CC's on our website. They pass through in seconds and then is deleted. It is so safe that I do not even see our customers CC info. :-)


C4

The main things we see with a lot of online retailers is that they hold peoples CC info (on their server). We use an encrypted third party to process CC's on our website. They pass through in seconds and then is deleted. It is so safe that I do not even see our customers CC info. :-)


C4

Sounds reasonable. What about the 3rd party?

Sounds reasonable. What about the 3rd party?

Encrypted and controlled by Quickbooks.


C4

Sounds reasonable. What about the 3rd party?

That's where PCI compliance comes in. The rules and regulations that govern how CC info is handled and processed. There's a lot to it, the manual takes more than a ream of paper to print if IIRC.

What Grant is doing is smart. The sensitive CC data is in a separate location with a bigger company that has more security resources. You spread the data out and it minimizes what an attacker can get to.

My company is the same way. I hold credit card info for charge accounts, but it is offsite. I cannot access those numbers in any way. All I can see in my system is the last 4 digits and the expiration date. PCI compliance has cost me thousands of $$ in the last few years in new c.c. machines and software.

In the old days (10 yrs ago..LOL) I could actually access credit card numbers and run them on people who owed me money. I never lost a challenge on them either.

My company is the same way. I hold credit card info for charge accounts, but it is offsite. I cannot access those numbers in any way. All I can see in my system is the last 4 digits and the expiration date. PCI compliance has cost me thousands of $$ in the last few years in new c.c. machines and software.

It is costly in terms of money and time to get compliant, but it could save even more in the long run.

Thanks for the info fellas. Grant, would your infosec be apparent to a customer? For those with online retail experience, what are some indicators that I, or other customers, could use to identify business like Grant's, which employ solid PII/FI security?

Obviously not giving an I.D. when it's not needed is #1 lesson learned...