In this article Customer Data Breach Who leaked the data? Who affected the end user Bergen Logistics protocols data breach status protection of your data how and why we report data breaches website Planet What is it? Company name and location: Bergen Logistics, located in the United States, Canada, Europe and Asia. Size: less than 100MB, 467,979 records exposed Data storage format: ElasticsearchCountriesInfected:USA
The Website Planet security team discovered a data breach affecting BergenLogistics, a fast-growing order fulfillment provider headquartered in New Jersey, USA.
Bergen is the market leader in business-to-business logistics for the fashion and lifestyle sectors. It operates globally with warehouses in the U.S., Canada, Europe and Asia.
On December 28, 2020, our security team discovered an open ElasticSearch server belonging to Bergen. This server was unsecured, without any password protection or encryption, and could have exposed thousands of Bergen customers.
A few days later, we checked the database again and found that most of it appeared to have been deleted by a hacker who had left a ransom note.
From our findings, it appears that any customer or client doing business with Bergen, or receiving packages from Bergen USA, may have been exposed by this data breach.
The leaked customer datacontained shipment details of customer addresses, phone numbers, first names, last names and emails. In addition, plaintext login credentials containing customer account emails and passwords were made public.
Hundreds of thousands of these files were left unprotected, and the hackers appear to have found the database and possibly saved it on the server - emptying ElasticSearch.
The total **** exposed on Bergen's open servers was 467,979 customer records, which equates to 100MB of data. Many of the files were dated December 2020, indicating that the server was active and in use at the time of the breach.
About 6,000 of these publicly available files contained customer shipment details. Customer first names, last names, addresses, phone numbers and emails can be found in these files. In addition, there are about 3,000 records detailing the customer's login credentials. This is extremely dangerous as emails and passwords listed in plain text can be used to commit fraud against the customer in question. Examples of both can be found below.
It appears that most of the compromised data relates to U.S. customers, with more than 465,000 public records containing directly identifiable customer data. That's a sensible estimate, suggesting that every one of those customers could have been affected.
Who leaked the dataBergenLogistics is a market-leading order fulfillment provider, which means it stores, picks, packages and delivers customers' products to their retail stores. Bergen also provides logistics solutions directly to customers in online marketplaces and e-commerce stores.
Bergen is dedicated to providing realization solutions for a range of industries, from fashion to home products, electronics and medical devices. Bergen operates primarily in the fashion sector, supplying footwear, handbags, accessories, cosmetics and fragrances on behalf of brands and stores around the world.
BergenLogistics currently employs 149 people and has an estimated turnover of $52 million (according to rocketreach).
Those affectedMany of the businesses BergenLogistics worked with may have been exposed, and Bergen's exposure to B2C deliveries suggests that information on public customers can also be found on the database.
Some high-profile customers do business with Bergen Logistics.Bergen supports e-commerce platforms such as Shopify, Magento and Sellect, while working with well-known brands such as LelaRose, LoveShackFancy, 3.1PhilipLim and Todd Snyder.
As mentioned, it's unclear whether the exposed files will affect customers outside the United States. All of the brands mentioned above, as well as any other U.S. customers and related e-commerce stores that do business with Bergen Logistics, are at risk of a data breach.
Impact on End UsersWe are confident that hackers have been able to access and download files from Bergen's unsecured database. While their primary intent appears to be focused on extorting money from Bergen Logistics, it is not known if these hackers intend to use customer information to assist in other criminal activities.
It is also possible that other unethical hackers may have accessed the database, in which case interested parties should be aware of the various risks associated with the exposure:
Identity Theft and Fraud - Compromised personal data, such as names, addresses, emails, and phone numbers, could have been used to target identity-theft customers, allowing hackers to conduct fraudulent activities on several other platforms. Fraud, Phishing and Malware - Exposed email addresses and phone numbers may be used to target customers. Criminals will contact customers through one of these mediums, building trust by divulging the personal information obtained. Over the phone, they may try to trick victims into disclosing their bank account information or other personal information. Through email, they may try to convince people to click on a link from which they can install malware on the victim's device. Commercial espionage - Competitors who discover compromised user lists may target businesses. Theft - Available personal information and shipping details mean that a large number of products could be intercepted by criminals and be vulnerable to theft.AccountTakeover - Criminals with access to customer login credentials can use that information to log into accounts and commit fraud, steal financial information, intellectual property, and sell or use the information found on the account to commit further crimes. Implications for Bergen Logistics Under Section 5 of the FTC Act, Bergen Logistics is required to comply with the Privacy Commitments published by the FTC and is required to provide adequate security of personal information when conducting business within the United States.
Any failure to comply with these conditions authorizes the FTC to take enforcement action against the business in question. If a business or individual is found guilty, they will be arrested or fined up to $100 million.
Bergen's operations in the EU also mean the company is subject to GDPR laws. If Bergen is found to have lost, compromised or provided access to customer data, it could face an additional fine of about $24 million, or 4 percent of turnover, whichever is greater.
Loss of business
This data breach could also damage Bergen Logistics' reputation, with loss of business a common outcome.
Bergen failed to protect its customers' data, and in doing so, it left its customers vulnerable to hackers and criminals. As a result, some existing customers may lose trust in Bergen and look for business elsewhere, and the leak could also affect any future trade with new customers.
Competitive Espionage
Competitors may use espionage (spying) to gain a commercial or financial advantage over Bergen Logistics.
Based on the information disclosed, Bergen (and all customers associated with this breach) may be at risk of competitive espionage. Hackers could pose as customers or members of the business to gain access to confidential information related to accounts, business operations and even trade secrets.
They could steal this information and by gaining access to customer details, competitors could even disrupt Bergen's business operations.
Status of the data breach
We must emphasize that while ransom notices have been found, these are common (and often automated) messages sent to open databases. We are unable to provide evidence that anyone actually copied the Bergen data.
Our security team discovered the open database on December 28, 2020, and Bergen Logistics was notified on the 30th.31 On the 31st, the database was wiped and the team discovered the ransom records. After checking the server again on November 15, 2021, our team found that the database was still not secure. Similarly, Bergen was notified of the data breach multiple times, and we received a response from one of their executives on 20214, which we disclosed, but as of this date, we have not received a response from him or on the matter.
The Computer Emergency Response Team (CERT) was contacted on several occasions, but they have not responded.
All publicly available data is accurate and relevant to Bergen Logistics' customers and business operations. While there may be examples of test data, any customers we find involved are real individuals.
Protecting your dataData breaches are a worrying ordeal for those customers unfortunate enough to be involved. While the following steps will not guarantee the safety of involved customers, they are necessary to reduce the threat of malicious criminal activity.
First, if you have lost trust in an organization, it is perfectly legitimate to request that your data be deleted. Companies must adhere to privacy standards. Vigilance should also be exercised when working with unknown parties via phone or email. If a party claiming to be a trusted company asks you to provide personal information, click on a link or download a file, refuse to comply until the party proves it is legitimate.
Account takeover is another concern for anyone who thinks they may have been affected by this breach. Hackers can use this information to log into customer accounts. Customers should change their passwords and usernames for their account i