Report: Multinational Logistics Company Exposed Customers’ in Data Breach

The Website Planet security team uncovered a data leak affecting Bergen Logistics, a rapidly-growing order fulfillment provider based in New Jersey, USA.

Bergen is a market leader in business-to-business logistics within the fashion and lifestyle sector. Its reach is global, with warehouses strewn far across the United States, Canada, Europe and Asia.

On the 28th of December, 2020, our security team discovered an open ElasticSearch server belonging to Bergen. This server was left unsecured, without any password protection or encryption, potentially exposing thousands of Bergen customers.

We checked the database again a few days later, and it appeared most of the database had been deleted by a hacker, who left behind a ransom note.

From our findings, it seems likely that any clients or customers that have conducted business with Bergen, or received a package from Bergen within the USA, could have been exposed by this data leak.

Customer Data Leaked

• Shipment details containing the addresses, phone numbers, names, surnames, and emails of customers.
• Login credentials in plaintext, containing the emails and passwords to customer accounts, were also exposed.

Hundreds of thousands of these files were left unprotected, and it appears that hackers found the database and potentially saved it on their servers – emptying the ElasticSearch.

In total, 467,979 customer records have been exposed on Bergen’s open server, equating to 100MB of data. Many files were dated to December 2020, suggesting the server was live and being used at the time of the breach.

Among these exposed files are approximately 6000 records containing the shipment details of customers. Client names, surnames, addresses, phone numbers and emails can all be found on these files. There are also around 3000 records detailing the login credentials of customers. This is extremely dangerous, as emails and passwords listed in plaintext could be used to commit fraud against the client in question. Examples of both can be found below.

It seems most of the leaked data relates to USA customers, with more than 465,000 exposed records containing directly identifiable customer data. It’s a sensible estimation to suggest that every one of these customers could be affected.

Who Was Leaking the Data?

Bergen Logistics is a market-leading order fulfillment provider, meaning it stores, picks, packs and delivers clients’ products to their retail outlets. Bergen also provides logistics solutions directly to customers of online marketplaces, and E-commerce stores.

Bergen works to bring fulfillment solutions to a range of industries, from fashion to home products, electronics and medical devices. Bergen primarily operates within the fashion sector, delivering footwear, handbags, accessories, cosmetics and fragrances on behalf of brands and stores worldwide.

Bergen Logistics currently employs 149 people, with an estimated turnover of $52 million (as per rocketreach).

Who Was Affected

Many businesses working with Bergen Logistics could have been exposed, and Bergen’s ventures into B2C delivery suggest that the information of public customers may also be found on the database.

Several high-profile clients are in business with Bergen Logistics. Bergen supports E-commerce platforms such as Shopify, Magento and Sellect, while they work with known brands like Lela Rose, LoveShackFancy, 3.1 Philip Lim, and Todd Snyder.

As mentioned before, it is unknown whether any of the exposed files impact clients from outside of the USA. All of the above-mentioned brands, along with any other American clients and associated E-commerce stores that have done business with Bergen Logistics, are at risk of this data breach.

Impact on End Users

We know for certain that hackers have been able to access and download files from Bergen’s unsecured database. Though their primary intention seems to center around extorting money from Bergen Logistics, there is no knowing whether these hackers intend to use customer information to assist in additional criminal activities.

There is also the possibility that other unethical hackers have accessed the database, in which case there are various risks associated with the exposure that concerned parties should be aware of:

• Identity Theft and Fraud – Leaked personal data, such as names, addresses, emails and phone numbers could be used to target customers with identity theft, and allow hackers to conduct fraudulent activities across several other platforms.
• Scams, Phishing and Malware – Exposed email addresses and phone numbers could be used to target customers. Criminals will contact customers through one of these mediums, establishing trust with personal information acquired in the leak. On the phone, they are likely to attempt to con victims into disclosing their bank account details, or other examples of personal information. Through email, they may attempt to convince people to click a link, from which they can install malicious software onto the victim’s device.
• Business Espionage – Businesses could be targeted by competitors who find out about the leaked user list.
• Theft – Available personal information and shipping details mean large quantities of product could be intercepted by criminals, and vulnerable to theft.
• Account Takeover – Perpetrators who access the login credentials of customers can then use that information to sign into accounts and commit fraud, steal financial information, intellectual property, and sell on or use the information found on accounts to commit further crimes.

Impact on Bergen Logistics

Data Privacy Laws

Under section 5 of the FTC Act, Bergen Logistics is required to adhere to the FTC’s published privacy promises, and is required to provide adequate security of personal information when conducting business within the USA.

Any failure to adhere to these conditions empowers the U.S. Federal Trade Commission to bring enforcement actions upon the business in question. An arrest or fine of up to $100 million is the punishment if a business or individual is found guilty of the charges.

Bergen’s operations within the EU also means the company is subject to GDPR laws. If Bergen is found to have lost, disclosed, or provided access to customer data, it could face an additional fine of around $24 million, or 4% of its turnover (whichever is greater).

Loss of Business

This data breach may also damage the reputation of Bergen Logistics, with a loss of business a common result.

Bergen has failed to secure the data of clients, and in doing so it has placed clients in harm’s way of hackers and criminals. Because of this, some existing customers may lose trust in Bergen and look for business elsewhere, while the leak could also affect any future trade with new customers.

Competitive Espionage

Competitors may use espionage (spying) to gain a commercial or financial advantage over Bergen Logistics.

With the information that is exposed, Bergen (along with all of the clients that are implicated in this breach) are potentially at risk of competitive espionage. Hackers can pose as a client or member of the business, to access confidential information pertaining to accounts, business operations, or even trade secrets.

They can steal this information, and with access to customer details, competitors may even be able to undermine the business operations of Bergen.

Status of the Data Breach

We must stress that whilst a ransom note was identified, these are common (often automated) messages sent to an open database. We cannot provide proof that anyone has actually copied Bergen data.

Our security team discovered the open database on December 28th, 2020, and Bergen Logistics was informed on the 30th. On the 31st, the database had been wiped out and the team discovered the ransom note. After checking the server again on January 15th, 2021, our team found that the database was still unsecured. Again, Bergen was informed several times of the data leak, we received a reply on April 4th, 2021, by one of their executives which we disclosed, but as of yet we have not received a response from him or on the matter.

The Computer Emergency Response Team (CERT) was reached on several occacions, to which they have not replied.

All exposed data is accurate, and relates to the clients and business operations of Bergen Logistics. Though there could be examples of test data, any implicated customers we discovered were found to be real individuals.

Protecting Your Data

Data breaches are a worrying ordeal for those customers who are unfortunate enough to be involved. While the following steps cannot guarantee the safety of implicated customers, they are necessary for reducing the threat of malicious criminal activity.

Firstly, if you have lost trust in an organization, it is perfectly legal to request that your data is deleted. Companies will have to comply, in accordance with privacy standards.

You should also be extra vigilant when cooperating with unknown parties over the phone, or through email. If a party claiming to be a trustworthy company asks you to provide personal information, click a link, or download a file, refuse to comply until that party can prove that they are legitimate.

Account takeover is another concern for anyone who thinks they may be affected by this breach. Hackers can use the information to sign into customer accounts. Customers should change their password and username for the account in question, as well as on any other site where the same credentials have been used. Businesses can employ a password manager software, along with systems that identify breaches and force password resets accordingly.

For business owners, so too is it important that you’re aware when unknown parties are asking an excessive number of questions about your company. Make sure your own databases are secure, and you will be safeguarded against further attacks from hackers or competitors.

Hiring a cybersecurity professional is the best way to ensure that the data of you and your customers is protected.

How and Why We Report on Data Breaches

We want to help our readers stay safe when using any website or online product.

Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.

We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.

By reporting these leaks, we hope to make the internet a safer place for everyone.

What is Website Planet?

Website Planet holds the top spot as the go-to resource for web designers, digital marketers, developers, and businesses operating online. We offer tools and resources catering to individuals of all expertise levels, ranging from beginners to experts. Maintaining honesty remains our paramount commitment.

We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a UK recruitment firm, as well as a breach in a Indian B2B online packaging marketplace leaking sensitive data.

You can read about how we tested five popular web hosts to see how easily hackable they are here.