Cyber Incident Victim: AF Smith
Date:
Sep 2016
Location:
Bermuda
Summary
A Bermuda-based office supplies firm notified customers of potential credit card fraud linked to transactions through its Apple website, prompting suspension of sales on the platform. The company stated it found no evidence of a breach in its systems, emphasizing that payment processing was handled externally by a banking gateway without storing card details internally. Customers were advised to monitor their financial statements amid broader reports of fraudulent activity affecting local credit cards. The website displayed only a maintenance notice during the investigation period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2016, office supplies company AF Smith suspended sales on its Apple-branded e-commerce site (apple.afsmith.bm) following concerns about credit card fraud targeting customers. The company proactively notified affected customers about "recent fraudulent activity in Bermuda involving credit cards" but stopped short of confirming a direct breach of its systems. AF Smith's digital marketing specialist John Zakszewska publicly asserted there was no evidence of a system compromise, emphasizing their payment architecture did not store or process credit card data directly. Instead, transactions were routed through a bank-operated payment gateway, theoretically limiting their exposure to payment card data. The website displayed only a generic maintenance notice during the suspension period, with no explicit security warning visible to visitors. This incident occurred against a backdrop of heightened credit card fraud reports in Bermuda, though specific details about the fraudulent transactions' scope or timeframe were not disclosed by the company.
The operational response included an immediate sales suspension on the affected platform while AF Smith conducted internal investigations. Customer communications focused on advising vigilance regarding credit card statements rather than confirming data compromise. Technical statements from the firm highlighted their third-party payment processing model as a protective measure, though the exact relationship with the banking gateway provider remained unspecified. No forensic findings, attacker methodologies, or system vulnerabilities were disclosed publicly. The incident's public documentation originated from media reports rather than official breach notifications, with secondary coverage noting the absence of detailed consumer alerts on AF Smith's digital properties. Financial impacts were limited to suspended sales operations on the Apple-specific sales channel, with no reported data on fraudulent charges or customer losses attributable directly to the website.