BREAKING: AIM Surplus’ Database Breach Compromises Customer Data

dfgdgfd

On April 26th AIM Surplus sent a notice of data breach to the state of California regarding a breach of their image database that occurred on April 4th 2016. This database housed images of customer names, images of their firearm licenses, and documents used for age verification. Many US shooters have purchased something from AIM surplus and are affected by the breach, I myself fall into that category. At this time there is no indication as to how extensive the breach was and how far back the data goes. The notice did state that no payment information, order history, or account information had been compromised, only the names of customers and their state IDs.

AIM does appear to be offering a year of free ProtectMyID from Experian to help their customers detect if their information has been misused. AIM Surplus also has removed all the images from the server and is working with a security firm to fix the lack of security with their upload feature. The security firm will also be taking a hard look at the entire site for any other potential security issues. You can read the notice below or visit the link here to view the notice on the State of California’ server here.

I reached out to AIM Surplus and there has been no comment as of this time.

CA_0-page-001 CA_0-page-002 CA_0-page-003 CA_0-page-004



Patrick R

Patrick is a Senior Writer for The Firearm Blog and works in the shooting sports industry. He is an avid recreational shooter and a verified gun nerd. With a lifelong passion for shooting, he has a love for all types of firearms, especially handguns and the AR-15 platform. Patrick may be contacted at tfbpatrick@gmail.com.

The above post is my opinion and does not reflect the views of any company or organization.


Advertisement

  • doheth

  • ozzallos .

    Just got this notice today from an SKS I bought there about a year ago. Between this, the government and a local college, I’m covered for *at least* four years of Identity Theft Protection now 😛

    • livingonenergydrinks

      Yeah like a free box of ammo of your choice. That is probably less expensive than what they have to pay for identity protection.

      • raz-0

        It is becoming apparent they don’t pay anything for the identity protection. Or nearly nothing. Most of these identity protection freebies are for a limited time, often have you put in a CC # to activate, and auto renew. It’s just a customer acquisition expense to the service.

        • antiliberalcryptonite

          Bingo.

        • GRComments

          I signed up. No credit card. I just had to verify my info on Experian’s site. I do expect a hard sell in a year or so. But, I can ignore that.

        • Mike Lashewitz

          No credit card # here… I do not have a credit card either. I am not an idiot…

          • Doug73

            Aside from the fact this breach has absolutely nothing to do with anyone’s credit card number, possessing a credit card does not make someone an “idiot”. Misusing a credit card can make someone an idiot, but merely possessing one has no link whatsoever to intelligence.

            Personally, I have MADE over $300 in the last two years with my Discover Card, while paying Discover exactly $0.00 in interest and fees. You just have to be smart enough to beat them at their own game. Admittedly, most people aren’t. But that isn’t the fault of the credit card.

            Like guns, credit cards are inanimate objects. They are neither inherently good nor inherently bad. Only PEOPLE make them good or bad. I must have made mine good, because as of April 14th my credit score was a perfect 850.

          • Mike Lashewitz

            I have perfect credit as well. I do not have a credit card because I have no need to pay interest. The only debit I have is my home and that would have been paid off if it were not for my children getting into trouble.
            I come from a time before credit cards, a time when you only bought things when you could afford them. I have witnessed too may people do spur of the moment spending and end up screwed.
            I was receiving at least 3 “loan offers” every week for decades, until I started using their prepaid envelopes and sent them back.

        • Shocked_and_Amazed✓ᵛᵉʳᶦᶠᶦᵉᵈ

          Absolutely

    • Cal S.

      I was only involved in one data breach to get 3 years. I can’t tell you what it was for, but I can hint that the culprit was…wait for it…China.

      Yeah, go figure. It’s always China. Or, somebody from California and Nigeria (my princess!).

      • MichaelZWilliamson

        Want to bet that China sells all that info to the NSA?

        It’s not spying. It’s commerce.

        • me me

          naw China gonna invade US. They collected that info on who key federal bureaucrats are and their personal reliability info a few months back. I was already expecting NRA break in or something to reveal where all the private weapons are stored.

          LOL – really it almost that. Heard rumor that Chinese hackers are releasing what is expected to be a very popular world conquest game using real data. *wink*

          • MichaelZWilliamson

            I’m no conspiracy theorist. It wouldn’t surprise me at all if certain high-ranking idiots who’d try to track US firearms to Mexico would be morally certain AIM was selling to Mooslims and that if they buy the info from outside it really wouldn’t constitute spying.

            Or it could be someone wanted a list of gun owners to publicly embarrass.

        • Cal S.

          Lol! This is too accurate…

      • Lt_Scrounge

        The Russian Mafia (mostly former KGB spooks) are behind a lot of the data breaches. That’s why Kaspersky Anti Virus is so good, but using it is so questionable. The programmers are almost certainly related to the old KGB and who knows what back doors it may have.

    • Mikial

      Same here. I received the same notice, and between the USG breach and two other, plus now this one, I have lot’s of Identity Theft protection.

      And I agree, I’d rather have a tangible compensation from them.

    • Shocked_and_Amazed✓ᵛᵉʳᶦᶠᶦᵉᵈ

      I have had 4 credit cards replace in the last 2 years.

  • Vhyrus

    Good thing I only ever purchased little stuff from them. They don’t have my id on file.

  • Big Daddy

    great

  • KestrelBike

    Heh, nothing that hasn’t been stolen before or is already available through a whole host of other publicly searchable databases…

  • Anonymoose

    I’ve moved and changed credit cards since the last time I did business with them, so I’m not worried.

  • Bob

    So someone may have my ID and could presumably buy stuff under my name…

    • Patrick R.

      Only the IDs were affected, not payment information. I clearly covered what was affected.

      • Bob

        Right. They can use my ID.

  • John

    Meh.

    My guess is that the hacker is much, much more frightened of the gun owners in the United States –alone– than the gun owners are of the hackers getting their particular information.

    Remember that, people. The ants outnumber the grasshoppers.

    • Patrick R.

      I tend to think that is not the case, after all the hacker did ignore the law and the multitude of law enforcement agencies that investigate this sort of thing.

      • CountryBoy

        ….because the risk of being caught vs. the rewards of the info gained is very much in his favor.

        LE doesn’t care, the FBI is useless, and this is the real reason we still have this stuff going on, along with the fact that most site operators assume way too much is done by their site host, or that they’re “under the radar”.

        Just like in other areas, people never think it can happen to them.

  • allannon

    Got a notice about this today. Annoying, but basically if you have a website all you can do is try to make it more trouble than it’s worth to hack; there’s always some vulnerability coming up that someone can use.

    • Budogunner

      You can also encrypt file uploads so they aren’t sitting on the server in the clear.

  • Kirk Newsted

    Does this cover just Kalifornia? I buy stuff from them fairly often and I haven’t gotten any letter or e-mail.

    • smartacus

      I’d like to know this too. Is it limited to Kalifornia? And how do we believe them?

      • Weaver

        I got a letter and I live in Pa. So it’s not just California

    • ozzallos .

      Received mine here in AZ.

    • GRComments

      I’m in Michigan. I got the letter. Sometime, the 26-29th.

    • knotjammin2

      GA too.

  • smartacus

    Now i have something else to worry about!!!
    i strongly disagreed with them when they asked for mine!
    i live in a state where it is not even required

    What should i do now to protect myself??

    • smartacus

      How far back do (did) they keep the images?

      • smartacus

        How soon before we don’t have to worry about a follow-up saying
        “oops credit card info also got compromised by the website and we are working with our webmaster to assure you of the highest quality service etceteraaah etceteraah etceteraah”

        • Budogunner

          Probably never. If they have any brains at all they are using a 3rd party payment processor. If so, your payment information is sent in an encrypted fashion to that vendor for processes the payment, tokenizes the transaction, and sends that token (which is indecipherable to anyone but them) back to AIM for reference. That way, AIM would never handle or store your payment information.

          If they aren’t doing that, I don’t know what to say.

          • iksnilol

            You really expect of AIM to be doing that?

        • Ray solomon

          I have had 3 attempt of fraudulent charges against my card last week. All from California. I puchased an AR15 from AIM surplus last month with this card. Hmmm…

          • smartacus

            OMG! that is beyond coincidental

          • Doug73

            If he only used his card at Aim, then sure. But if he also used it at 10 other places…then not really.

          • smartacus

            if he used his card at those 10 other places before…then really

          • Oh damn not good at all. I hope you canceled that card!

      • GRComments

        I bought some ammo from them in 2013. You have to provide proof of age (drivers license) so they had that. But, I was told that that information wasn’t stolen. So, it may not have been available on the server.

  • smartacus

    How do we find out if we are one of those compromised?

    • smartacus

      they removed the images?
      a lot of good this will do, now after the fact.

      • Budogunner

        Not likely. I believe they just moved the images off of the Web host… like they should have been doing all along.

        They still have them, they are just (hopefully) being stored in a non-public-facing location.

        • smartacus

          aw man, even the damage control is not very reassuring then

        • Doug73

          Perhaps I’m a Luddite, but sometimes I reflect nostalgically on the days of file cabinets.

  • jess

    Great, my ID and FFL are out there in the wild. I haven’t received a letter though, so maybe I wasn’t affected.

    • smartacus

      Why do i feel like not getting a letter from them doesn’t mean i’m not affected :0

  • Nick D

    That address of PO Box 265 Claysburg, PA is a little suspect. Why would they have that address when they’re not based in PA? Google that address and see a notice of a data leak from Cook County Health & Hospitals System. Also, part of the letter from Cook County is in Polish. Is there a company operating in Claysburg PA that just handles data breaches or is this a scam?

    • GRComments

      The return address is a standard address used by (I think) Experian for all their mailings to people when a company hires their services. I wondered, too. But when you call the number, you talk with a person who explains some things.

    • CountryBoy

      It’s probably from Experian, or whomever is handling this response to the breach.

  • Brocus

    Fool me once… lets suffice to say that AIM won’t get any more business from me given how fast and loose they played it with the documents I provided them.

    • Budogunner

      In fairness, INFOSEC is an IT subspecialty that not everybody understands. From personal experience I can say it is very hard to sell security related products or services as people don’t think they will receive any end benefit.

      In this case, I’m guessing the intrusion vector was the website. This is why, as a business, you should NOT GO CHEAP on your website. But people see ads for wix and squarespace and assume a custom site with specialized business logic should be cheap. They also think it is a one and done deal. In reality, you need regular maintenance, security updates, and constant monitoring.

      I don’t mean to sound so grouchy, I’ve just grown tired of interacting with companies that consider the risk of a breach acceptable, fiscally, versus actually protecting customer data.

      • deserada

        They said in the report it was an exploit based on their system for uploading user documentation (i.e. photo identification or FFL).

        • Budogunner

          That is part of their website, is it not?

          • livingonenergydrinks

            Yeah it is. My guess is the developer used some third party component to do the file uploads, and the hacker knew of some security flaw in that component. SQL injection is another way they will get in. What would be even worse is if this was as simple as the directory that the images were stored to had the list contents property enabled, allowing anyone to get a full list of all images in the directory.

      • Doug73

        I think it’s unfair to insinuate that AIM “considers the risk of a breach acceptable.”

        I find it far more likely that AIM’s vendor assured AIM everything was buttoned up and security was rock solid. And I doubt the people at AIM had any reason (or technical knowledge) to believe their vendor was either incorrect or lying.

        As usual with the gun owning community, knees are jerking and righteous indignation being expressed without the benefit of a full factual accounting of who was responsible – from a technical standpoint – of ensuring security.

        Unless you’re using a website that employs bank-level encryption, you can never be 100% certain your data won’t be comprised at some point.

        • nicholsda

          The only secure computer is one that sits in a safe, that is not powered up, has no cords, and no internet connection. Even gov’t computers get hack attacks and it is only through firewalls, honeypots, and monitoring that you catch the attacks.

  • Edeco

    “Identity Theft Protection” sounds like possibly slightly helpful links to funnel info into Experian in hopes they won’t besmirch your name.

  • TangledThorns

    They are the only site that I bought from that asked for ID. Never again.

    • USMC03Vet

      Yup, I stay away from those ridiculous operations. I did order something from AIM once though and their service was bad.

      • Leigh Rich

        i have bout a many of AR bolt and carriers from them.. Great prices,

      • CountryBoy

        I’ve ordered from them before, but never anything requiring the ID info. I’ve always had good service from them, and some of their items are hard to find elsewhere.

        This won’t deter me from staying with them, but I’ll avoid some things requiring any ID other than what I need to do for mailing.

      • nicholsda

        Sorry to hear you had a bad dealing with them. I have had nothing but good ones. Used to be about the cheapest place to buy 7.62X54R ammo by the crate.

    • Leigh Rich

      Tangled…Could be because AIM sells ammo and age restrictive items. It is required by law. Aim Surplus is a great company.

      • Mikial

        Agreed. A lot of on-line ammo dealers require a copy of your ID to ensure they are compliant with the law and to protect them from all the frivolous litigation like the Brady Bunch foisted off on Lucky Gunner through the proxy of the Sandy hook parents. They have to be able to show they have jumped through all the hoops to ensure they identified the person buying the ammo.

        Glad Lucky Gunner won that one.

        • Lt_Scrounge

          They won it and then some. If I remember correctly, they won the counter suit for a substantial sum of money. The initial suit was from the survivors of the Aurora movie theater shooting though.

    • Mike Lashewitz

      They got a copy of my CWP nothing else.

    • knotjammin2

      That is a valid point. AIM could be BATF sponsored. I won’t buy from them again.

  • livingonenergydrinks

    I got my letter in the mail yesterday. I don’t stuff very often, mostly from gun broker, and I have only bought ammo from a couple vendors. I don’t recall uploading any images of my license to their website, so I am a little confused why I got the letter. Are they just mailing this letter to everyone in their database?

  • Audie Bakerson

    Credit monitering does almost nothing. Get a credit freeze instead if you are really worried.

    • Rick5555

      You’re are absolutely correct. Also, you can put a password protect on your credit with all three credit reporting agencies. Whenever, you apply for credit. The credit agency (that’s being used) will contact you. You have to present your password. before the agency will release the data necessary for a creditor to provide whatever you’re seeking credit on. It does work. When I applied for a new loan for a business my wife and I have. We were both subsequently contacted. In which we informed the credit agency that we did in fact apply for a large sum loan. This is a service that’s provided Free from the credit agencies.

  • john huscio

    I bought ammo from them 6 years ago……no letter from them so far…

  • Charles

    I can say that I’m not happy WHATSOEVER that images of my FFL licensure and State drivers license/photo ID are floating around in Eastern Europe (or equivalent) now.
    Thanks AIM, you’re questionable discount pricing structure has yet another strike in the “ain’t” column….
    No notification received yet, either. Damn.

    • Doom

      I only received my letter yesterday. Im less than 4 hours from them. so you should get it soon.

  • Rock or Something

    What’s sad is that I can’t get really mad because the U.S. Government, OPM, and VA has already lost all my pertinent information to hackers.

  • James

    Jeez. Just ordered from them for the first time in March. I was happy with the deal and gong to order again. Now this %&#*.

    Why did they even feel the need to keep our ID’s on file indefinitely? Once they verified the ID matched the customer’s info they should have just marked that account as “approved for gun/ammo sales” and deleted the image. Keeping it saved forever is just asking to get hacked eventually.

    • Geoffry K

      For a DL that might be OK, but for C&R purchases they have to have a copy of the FFL on file. Federal requirement, I believe. Also the license of any FFL they ship to.

      • DB

        This should help make your Gun Shop you deal with just thrilled to help you out with supplying their FFL to AIM SURPLUS, that’s done to help us, their customers out! My Gun Shop that allows my use of their FFL info is a friend! Makes me all warm and fuzzy to know he helps me out and gets it in the shorts by AIM!

        • Lt_Scrounge

          All of the information on an FFL is available from public databases. That’s how I got the information for the FFL I used for my last handful of purchases from Bud’s. Most of the wholesalers have a “find a dealer” function that allows customers to enter their zip code and get the name and address of most of the FFL holders in their area.

          • nicholsda

            If you want an FFL’s info, the gov’t will gladly give it to you in a comma separated file free for the download. In fact, if you are an FFL you are supposed to use it to verify that the copy of the license the other FFL sent you is in force.

          • Lt_Scrounge

            Exactly. FFL information isn’t some deep dark secret, it’s public knowledge.

      • Lt_Scrounge

        Wholesalers have to retain a copy of every FFL that they ship to. Most of them have a “find a dealer near you” function on their websites that allow you to find a dealer near you that they already have on file so that you can save the effort of finding one to have your purchases shipped to. With some dealers up here charging from $40 – $50 for transfers, using this function to find another dealer has saved me a bunch of money. The dealer that I now use doesn’t even sell guns, it’s an old fashioned feed store that sells some ammo out of a wooden cabinet with chicken wire on the doors. They ONLY handle transfers, do it for $20, and are only 5 miles from the house, instead of thirty.

    • CountryBoy

      Why keep your ID? Because most folks will gripe and go elsewhere if they’re “inconvenienced” by having to re-enter things or send it again.

      Look folks, I’ve not had any problems with stuff like this after 35 years in IT. However, I NEVER create an “account” on a site unless I can’t buy any other way, and most sites give you the option. If you check out as a guest, the information isn’t usually retained.

  • Ldiddy

    AIM is a really good company. In my opinion, THEY are the victims here. I have gotten similar letters in the past from Anthem, Target, and yes, the IRS. (Anthem sent out over 70 million letters.) These hackers target businesses in an attempt to extort money from them. AIM has done everything right since learning of the breach. It is likely that the only ones who will have any expense as a result of this is AIM themselves. I will continue to buy guns and ammo from them. I have always been treated fairly and honorably. Don’t be too critical of them, because it may be your company next.

    • Shocked_and_Amazed✓ᵛᵉʳᶦᶠᶦᵉᵈ

      They may be the victim but so are their customers.

    • J S

      actually I will be critical. My card was compromised right after this happened. and it was a card I use for business. So yea, my company WAS next.
      Screw them. They are NOT a good company if they cant secure their clients infomation

      • nicholsda

        Then I guess you would also come down hard on a State D/L agency too. Because that is who my last notification came from for a data breach. And it only covered people who have a Commercial D/L.

        • knotjammin2

          Just because it’s the state dosn’t mean they are doing everything they can do to protect our information!!

      • Ldiddy

        Case in point. My understanding is that the only things that was POSSIBLY compromised were the scanned uploaded images of our IDs. There was NO credit card information compromised. These guys have a great company and are the unfortunate victims of a computer hacker that got past their security and tried to extort money from them.
        If individuals do not already have credit monitoring in this day and age, then they are making a mistake. Like I said, I will definitely continue to do business with AIM. Good prices and really good customer service. I truly hope this all is resolved quickly.

  • Leigh Rich

    I got the notification. The ID they had was out dated a year ago and the credit cards have all been replaced with chip cards since my last order. So any info they have doesn’t matter.

    • GRComments

      The info that I was shown on my credit report was old and some was incorrect. I left it that way since I don’t apply for credit.

  • edjcox

    The Chinese use this data to build a DB of marketing and military intelligence. They are thieves and we are stupid to allow data to flow without gates and checks…

    • PGT_Mini

      This is minor compared to the OPM breach(es) they’ve done. Full dossiers exfil’ed about everybody with a Gov clearance to include their financials, who they know, their relatives, medical histories, etc.

  • Geoffry K

    Hopefully nothing much comes of it. Remember when the State of South Carolina had a data breach? I got 2 years of free credit monitoring out of it. The only alerts I got from the service was when a new sex offender was added to the County records.

    • CountryBoy

      Just curious, but exactly how often did you get those notices? Nothing against SC, but then…

      • nicholsda

        If it was like Florida, by e-mail and they show up whenever a new one moves into an area of about square miles of where you live. In the winter time is when we see the biggest influx.

  • kw

    I received the letter as well, I don’t blame them for asking for my ID, it is law to buy handgun ammo you have to be a certain age. I DO blame them for keeping such things indefinitely on their site. That information should be purged or moved offline.

    • Lt_Scrounge

      If they were really after gun buyer information, Aim Surplus wouldn’t even be number 2 or 3 on my list. They probably only maintain current information. When I walked into J&G in Prescott, AZ to buy some specialty buckshot rounds (the 2 1/4 inch ones that I use in my 1925 Winchester model 12) they not only had my current Texas address on file, but my previous one in Arizona as well. I was in Arizona for the Second Amendment foundation’s Annual Gun Rights Policy conference and decided to visit some friends up north and grab some more ammo while I was there.

  • Wingbert

    They wouldn’t even sell me a faxon 11″ AR15 barrel because I live in CA. Had to purchase from Faxon directly so I’m safe.

  • Mastermixer

    This sounds more like DHS/ATF snooping again. Remember Ares Armor; all they really wanted was the customer lists and purchases.

  • Invictus

    Well, if the Experian code is any indicator of their security aptitude, I’m not exactly surprised.

  • Mike Lashewitz

    Yeah I got the letter and luckily I already had credit monitoring. So now I have another year of free monitoring.

  • Mike Lashewitz

    How much you want to bet it was someone from or for the US Government that hacked them to get a list of all gun owners?

    • CountryBoy

      I’ll bet – Nothing.

      The feds already have all the info that would be on this site. Remember that all the guns you buy online still go through an FFL.

      The gov’t doesn’t need to do this to get info they already have.

      • Mike Lashewitz

        No doubt!

  • throwedoff

    Not worried about it. I’ve only bought parts from them and haven’t submitted an I.D. I use a prepaid Visa card for all my online purchases. I just load the amount I need onto the card make my purchase and the card balance goes back to less than a dollar. If someone jacks my card number, I’ll only be out a couple of quarters, and my SS# and other info are still safe.

  • BigR

    AIM?? Never heard of it!

    • nicholsda

      AIM Surplus, a nice Ohio company to deal with.

  • Doug73

    How come when unfortunate incidences like this happen, so many peoples’ first instinct is to think, “Now they owe me free sh*t!”?

    No, they owe you an apology and a resolution to the specific problem at hand. Which in this case is credit report monitoring. Nothing more is owed.

    But I forget…this is America, circa 2016. Entitlement mentality is rampant and pervasive. Even amongst people who would swear up and down that THEY don’t suffer from such an affliction. Which is itself part of the problem: Entitlement mentality is always very easy to spot in OTHER people, but I’ve never met even a single individual who would admit to having such a mentality themselves. Human nature, I guess.

  • Doug73

    Whoever created that website, is an idiot. There are at least three “facts” listed on that website that are either pure speculation, or a misrepresentation of the actual facts.

    For example, the site falsely claims that if you bought stuff from Aim before a certain date, that fact alone means your data was stolen. But according to Aim, that isn’t true at all.

    The creator of that site had better hope Aim’s owner isn’t the litigious type. Because you CAN be sued for posting false or materially misleading information about a company.

    Not surprisingly, the owner of that site was too much of a coward to attach his own name to it. Why am I not surprised?

  • Patrick R.

    That kind of site is not constructive at all.

  • David Christensen

    The problem here is the lack of on-site protection, which should be the MIS Manager’s MAIN job………. Sounds like sloppy maintenance…..

  • knotjammin2

    When I received my notice the first thing I thought of was the BATF. Would not surprise me if they are the hacker and AIM is going to release more info than they have on this matter to convince me otherwise.

  • fernando b

    I got my letter in the mail I still need to join for the Protection Program for the identity theft. But as far as AIM why not give your customers a good discount some coupons to buy ammo or goods for all the trouble that you guys lacked on protecting our identity in the first place. All companies like this should have great protection on the customers that they have. So if anything I’m sure all of us would prefer a big discount and some coupons to buy ammo or other Goods.