Cyber Incident Victim: Aeropost
Date:
Apr 2022
Location:
United States of America
Summary
Aeropost, a U.S.-based logistics and package delivery firm, experienced a credit card data breach that compromised customer payment information. The incident also impacted users of Mailpac Group Limited, a courier service partnered with the company. Affected individuals were notified to review their financial statements for unauthorized transactions, report suspected fraud to card issuers, and request replacement payment cards. The breach exposed sensitive financial details but did not disclose the specific number of compromised accounts or the attack methodology.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2022, Aeropost, a Florida-based logistics and package delivery company, experienced a data breach compromising customer credit card information. The incident came to light when affected customers received direct email notifications from the company advising them to review their credit card statements for fraudulent transactions. Aeropost's communication explicitly stated that credit cards had been "compromised" and urged customers to promptly report any suspicious activity to their card issuers. The company further recommended that impacted individuals request replacement credit cards as a precautionary measure. While the breach originated within Aeropost's systems, it also affected customers of Mailpac Group Limited, a Jamaican courier company partnered with Aeropost for delivery services. Mailpac customers received identical breach notifications despite the compromise occurring at Aeropost, indicating shared customer data or integrated payment processing between the organizations. Neither company disclosed the specific attack vector, duration of unauthorized access, or total number of affected individuals in the initial notifications.
The breach's primary impact centered on financial fraud risks stemming from exposed payment card details. Customers faced immediate demands to monitor accounts and initiate card replacement procedures, creating operational burdens for both financial institutions and cardholders. Aeropost's response focused exclusively on customer notification and reactive fraud mitigation guidance rather than detailing technical containment measures or system remediation efforts. No information was publicly released regarding whether the companies involved law enforcement, initiated forensic investigations, or implemented enhanced security controls post-breach. The incident drew public criticism in Jamaica due to Mailpac's involvement, highlighting cross-border data vulnerability concerns when local companies rely on international partners. Both organizations faced reputational damage as customers publicly shared breach notifications, though neither entity provided subsequent updates on the scope or root cause of the compromise beyond the initial customer advisories.