Hackers claim Courts, PriceSmart cybersecurity breached

Regional cyber security websites say Pricesmart and Courts Caribbean’s online shopping website ShopCourts have been hacked.

Jamaican cybersecurity researcher Gavin Dennis, Computer Forensics and Security Institute (CFSI) and technewstt.com all say the ShopCourts data was stolen and posted on online on August 29.

The stolen data is said to include information on possibly up to 200,000 customers such as names, genders, e-mail addresses, account passwords, ID information, dates of birth and phone numbers.

It is also said to include order details for customers much as billing and shipping addresses, purchase dates, purchase locations, shipping information, order totals and payment methods.

However Courts released a statement on Sunday claiming none of their customers’ payment methods and password information had been exposed in the incident.

The company acknowledged a data breach in the old e-Commerce Platform www.shopcourts.com, but said immediate action was taken. Courts said it switched e-commerce platforms in September, the month after the alleged hack.

It added the data leak only contained information on customers who shopped on its website, but said the new platform “enforces the measures and strengthens security levels…to have a secure platform without any data breach.”

Hackers have leaked a sample of customer records from 2013-2023 as proof of the hack.

The data spans customer accounts in multiple Caribbean countries including Trinidad and Tobago, Jamaica, Belize, St Lucia, and Barbados.

According to hack reporting website leakbase.io, the data is also being offered for sale.

CFSI owner and enterprise risk consultant Shiva Parasram told Newsday he believed the hack was done by either an individual or group of individuals, given the circumstances around its availability.

“It was put out onto the regular internet, which is what we call the surface web. So anybody with an internet connection could actually do some digging and find that. However, it's posted on a forum where you have to pay for it, usually in crypto(currency), and the price is usually pretty exorbitant, so you can’t just go and download it for free.”

Meanwhile, another hack-reporting website and cyber security platform, FalconFeeds.io, says PriceSmart has also been the victim of a hack.

FalconFeeds posted on X, formerly known as Twitter, that hacking group AlphV has acquired more than 500 GB of sensitive employee and client data.

According to technewstt, AlphV, also known as Black Cat, is a recently formed ransomware group which has breached more than 60 organisations in the last month.

Parasram said while the exact nature of the data has not been revealed, the PriceSmart hack is even more concerning, given AlphV’s reputation.

“They are notoriously popular in the ransomware business. They are actually almost like a best-of-the-best group. They recruit a lot of other ransomware extortionists from different groups and try to use the best hackers. Also, the ransomware they use is deadly. You could have the best security in the world; they just need one way in. It only takes one person clicking on one link to get inside (a company’s database).”

He added the timing of the hack, coupled with the amount of data, is also concerning.

“They have an incredible amount of data, so I don't know what exactly the data is yet, because that will take us maybe about at least a week to download…I don't want to speculate too much without seeing it. I'm hoping that the credit-card information is okay, but a lot of people will be concerned, especially since we had that whole debacle recently with the bank-card charges with PriceSmart.”

He warned Caribbean companies can expect more hacking attacks and breaches and added the region “is in for a hell of a ride.”

Parasram explained hackers see Caribbean companies as “low-hanging fruit” compared to larger international companies which can fund better IT security infrastructure.

He said there should be laws to guide companies’ actions in the event of a data breach.

“It would be really great if there was some sort of legislation that ensured when companies experience a breach or leak, they put that information out there so that people could start safeguarding themselves.

"As it is right now, our data is out there, but we haven’t been told to be on the lookout for phishing e-mails or monitor our credit cards. It would put the onus on the company to make sure that they secure our data a lot better than just having it out there, having a couple of things in place and hoping for the best.”

Parasram suggested anyone who had used either Courts or PriceSmart’s shopping websites should change their password immediately and either lock their credit card or monitor it for suspicious activity.

“In some online banking apps, there is a feature where you can lock your credit card, meaning that it can't be used for any new purchases. Redundant purchases are still allowed, but you have to go into the banking app and manually unlock that credit card for you to make a new purchase.”

He said customers should also be on the lookout for suspicious e-mails with spelling errors and suspicious sender addresses, as the hackers may now use the stolen data to target customers.

“If you receive an e-mail which says ‘There has been a breach, please click here to change your password,’ that may be a phishing e-mail.

"Everyone's e-mail address is in the stolen data, so if a group gets those e-mail addresses, they could even personalise it with your e-mail address and your name or your home address to make it sound more convincing.

"So you have to be a lot more vigilant on the digital part.”