AIM Surplus Reports Data Breach
Over the past week, several shooters have received letters from popular firearms and ammunition retailer, AIM Surplus, indicating that their personally identifiable information (PII) was recently compromised as part of a security breach within the company’s IT systems. According to details from AIM, photos of drivers’ licenses and copies of federal firearms licenses (FFLs) uploaded to customers’ accounts were taken, leading many to worry about identity theft. There has not, however, been any indication that customer payment data was exposed in the breach.
As you might expect, many loyal AIM shoppers are worried about data exposure. It’s relatively easy to use someone’s drivers’ license to commit fraud, but couple that information with valid FFLs and the consequences could be considerably worse. Indeed, a valid FFL and state-issued ID are usually the two pieces of information that a licensed dealer/collector needs to present in order to purchase a firearm. With this in mind, it isn’t unreasonable to think that a determined person, with information collected in the AIM breach, could rather easily make purchases using a victim’s firearms license.
Another concern stems from the fact that the compromised documents feature addresses where a sufficiently motivated (and extremely ballsy) thief could expect to find firearms. This, in my opinion, is the most troublesome aspect of the breach. For personal security reasons, most sensible gun owners try to keep this type of information as private as possible.
As an information security professional, it is difficult to be angry with AIM. There’s a common belief in the industry that it isn’t a matter of if you’ll be breached, but when. Frustration among AIM customers is absolutely reasonable, yet this news isn’t necessarily an indication that the company was grossly negligent.
I have yet to receive my letter, and mine may never arrive. Though I uploaded both my ID and FFL to AIM’s site, both documents expired many months ago and featured old addresses. For those who do receive notification, AIM is offering one year of free identity theft protection. I’ll update readers if any further developments arise, but please see AIM’s statement below.
On April 4, 2016, AIM Inc received a report that an unauthorized person was able to gain access to certain images that had been uploaded to our website. We immediately conducted an investigation, engaged a leading security firm, and alerted law enforcement. We mailed letters to all individuals on Tuesday April 26th who were affected that explained what occurred, steps we took to prevent this from happening again, and contained an offer of credit monitoring. No payment or account information was affected. We regret that this occurred and are committed to continuously working to implement appropriate measures so that our customers enjoy their experience with us.
An information security professional by day and gun blogger by night, Nathan started his firearms journey at 16 years old as a collector of C&R rifles. These days, you’re likely to find him shooting something a bit more modern – and usually equipped with a suppressor – but his passion for firearms with military heritage has never waned. Over the last five years, Nathan has written about a variety of firearms topics, including Second Amendment politics and gun and gear reviews. When he isn’t shooting or writing, Nathan nerds out over computers, 3D printing, and Star Wars.