Yesterday, a ransomware attack hit a number of companies and government agencies in at least six countries. One of the companies affected was Maersk, the world’s largest ocean carrier. Maersk is one of many carriers we work with to move our clients’ ocean freight.
Naturally, this prompted questions about what kinds of data we share with freight carriers, and how we ensure the security of this data. After all, freight forwarding depends on third-party carriers by nature — so despite whatever security measures Flexport puts in place to safeguard our own data, our partners will always be susceptible to data breaches. To limit risks and protect our clients’ sensitive information, we don’t share any data with carriers or freight partners except what those parties need to know in order to move our shipments.
Specifically, we share only the following data with ocean carriers like Maersk:
- Transportation mode: (ocean or air)
- Notes (if applicable)
- Location: Port of loading
- Vessel and voyage information
- Short description of the cargo
- Container details (container size)
In other words: all financial information from purchase orders and commercial invoices, and other sensitive data, is stored only on Flexport’s servers, none of which were compromised in the Maersk breach.
It’s unlikely that Maersk was chosen as an explicit target. At least one computer at Maersk was running on an unpatched Windows computer that was affected by the ransomware (Petya), and the virus then spread to their local network. As they work to restore their networks, we’re notifying all Flexport clients with freight on Maersk ships, or whose freight is going through APM terminals (which are owned by Maersk and have also been affected by the cyber attack) — our data-driven approach makes it easy for us to figure out which shipments might be impacted and to keep a close eye on them.
Flexport isn’t vulnerable to Petya or to similar attacks for a few reasons: we don’t use Windows; we update our systems strictly and regularly; and we don’t have implicit trust between all of our servers.
We are, of course, still extremely vigilant about security. To validate and upgrade our data security, we’ve been using the vulnerability coordination platform HackerOne to run continuous penetration tests against our own systems.
In the interest of transparency, and to show how seriously we take data security, our engineering team has written a post mortem, including detailed descriptions of six vulnerabilities that we discovered and fixed through this process of continuously hacking ourselves. Today seems like a good time to share that post, as we reflect on the importance of locking down our customers’ valuable supply chain data.
Rest assured that we continue to invest in data security measures, including training our own teams in how to identify malware, phishing attacks, and more sophisticated social engineering attempts.