Lessons from the hack to Mercado Libre

In the digital age, there are three kinds of companies: those that are going to be hacked, those that have already been hacked, and those that will be hacked again. Free market is the new girl in the neighborhood of cyber attacks that are publicly known.

On the night of Sunday, March 6, the computer systems of Free market —a monster of electronic commerce which in 2021 had a turnover of 7,000 million dollars – were the target of an attack that gained access to its source code, the software lines that allow building the web page. The attacker(s) accessed the data of 300,000 MercadoLibre users globally (0.21% of the total number of users of the e-commerce company). In Mexico, 50,000 accounts (0.03%) were affected.

According to his press team, “no critical data” protected by Free market, “such as passwords, card data, Mercado Pago balances”, was obtained by the attacker or attackers. “The account as such of no user was compromised”, only the names of the affected accounts and the linked emails were obtained. “There was also no compromise of our infrastructure or access to our databases. No service or platform was affected in its operation,” the communication team told me.

The gravity, then, would have been less, but not so much as to avoid communicating it. One of the main assets of the companies in the digital economy, and above all for e-commerce operating firms, is their reputation. Communicating the success of a cyber attack, even a minor success, must be very painful for a serious technology company.

Free market is listed on the United States stock exchange and is bound by the SEQthe US stock market authority, to report on cyber attacks (A new SEC regulation intends to oblige listed companies to communicate within a maximum period of four days).

In Mexico, in terms of personal data protection law, Mercado Libre is obliged to notify only the holders of the data of the affected accounts and only in the event that the security breach “significantly affects the patrimonial or moral rights of the holders” (article 20). In this case, to the holders of the 50,000 accounts involved.

If the attack was not serious, Free market acted proactively with its users, which is appreciated, communicating about the incident and offering security advice to act accordingly.

Free market is a survivor of the 2001 dotcom crisis, a pioneer in electronic commerce in Latin America and the largest digital company in the subcontinent, which earns 4.6 billion from electronic commerce and 2.4 billion from a buoyant financial business, through Mercado Pago and Mercado Crédito (this vertical grew 72% in 2021 compared to 2020). For 2022, it announced an investment in Mexico of almost 1,500 million dollars (it could not be otherwise, if its business here doubled in 2021 to 1,172 million dollars).

Its financial statement to the SEC does not specify the budget it allocates to security and protection of the infrastructure (hardware and software), but it does state that the “update process is expensive and the increasing complexity and improvement of our website generates higher costs. ”, as a lack of maintenance “could materially damage our business and our ability to collect revenue”.

Free market It is clear that part of its business is based on information security. “Our ability to run our business on a day-to-day basis is highly dependent on the efficient operation of our information technology infrastructure and our cloud providers, the largest of which is Amazon Web Services. We have been and are susceptible to attacks on our systems or other security breaches by unauthorized third parties,” he read in his financial report for 2021.

And despite all this, on the night of Sunday March 6 Free market suffered a violation serious enough to be reported. If a giant of electronic commerce and fintech (digital financial services, for its acronym in English), which understands that its business is based, among other things, on information security, is the victim of successful cyberattacks, so be it minor, what can we expect from companies less concerned about cybersecurity? And what can we expect from governments, sometimes so concerned with austerity and budget savings?

Jose Soto Galindo

Editor of El Economista online


Journalist. Since 2010 he edits the digital version of El Economista in Mexico City. Master in Transparency and Protection of Personal Data from the University of Guadalajara. He has a specialization in telecommunications and information technology law. His personal blog is Economicon.

Leave a Comment