Aptos, an outsource point of sale vendor for many businesses, announced that they were breached. Sort of announced, but not really.
The breach was active from February 2016 thru November 2016, but they didn’t notify their merchants until February of this year. Now the vendors are slowly notifying their customers. Potentially, customers are not going to be notified for a year after their card was compromised. Aptos is not notifying the compromised customers at all – they are leaving that up to their customers.
If you are being proactive and watching the activity on your cards, you would have been aware of the fraud long before you found out about it from them.
When contacted, Aptos said that they were not going to say who was breached and leave it up to the vendors. According to a blurb of a WSJ article, Aptos apparently told at least some of their merchants that they didn’t have to disclose the breach, but attorneys are disagreeing with that. Some of the merchants affected are:
- Abbott Store.com
- Liberty Hardware.com
- Mrs Prindables.com
- Affy Tapple.com
- Alpha Industries.com
- Atlantic Cigar.com
- Blue Mercury.com
- Movie Mars.com
- Pegasus Lighting.com
- Plow and Hearth.com
- Vapor Beauty.com
- West Music.cm
- Percussion Source.com
- and a number of others
For an updated list of affected vendors, visit the Data Breaches link below.
Information taken includes name, address, email, phone number and credit card information.
Some of the merchants are offering credit monitoring. Hopefully if you bought anything from these merchants, they have already reached out to you.
Besides the hassle if your card was compromised, this is yet another example of outsourcing things that are not core to your business to make your life easier and it winding up making your life harder and costing you money.
Most of these merchants are small, which means that they are less able to deal with the reputation hit. Remember that cyber insurance will not pay for your damaged reputation – to deal with that, you would have to sue the outsource vendor.
Some thoughts –
- Make sure that you do your due diligence before you sign up with an outsourcer to run your point of sale system.
- Make sure that you have cyber risk insurance and it covers that kind of situation.
- Make sure that your agreement with the outsource vendor specifies who is liable, exactly WHAT they are liable for and how you are going to get paid for the damage.
- Make sure that the outsource vendor has cyber risk insurance as well.
So while you cant eliminate risk, at least you can work on reducing that risk. The due diligence and insurance are critical.