News Stay informed about the latest enterprise technology news and product updates.

Acer's e-commerce website hit by a customer data breach

Computer maker Acer was hit by a customer data breach of its e-commerce website, leaving approximately 34,500 customers' contact and payment information exposed for about a year.

Taiwanese computer manufacturer Acer suffered a breach of its U.S. e-commerce site that compromised credit card...

payment information for approximately 34,500 customers and lasted almost a full year before being detected.

While details of the customer data breach are still sketchy, the news broke after Acer filed a "Notice of Data Breach" letter with the California attorney general's office last week. Customers who used the Acer site between May 12, 2015 and April 28, 2016 were exposed. Acer identified a "security issue" that "resulted in unauthorized access by a third party," according to Mark Groveunder, vice president of customer service for Acer Service Corporation.

"Our team recently identified a security incident affecting the information of certain customers who used our U.S. e-commerce site," Lisa Emard, director of media relations for Acer America Corporation, told SearchSecurity. "As a result, an unauthorized third party was able to gain access to some transaction data, including credit card information, for certain customers who made a purchase on the site."

In the customer data breach notification letter, Acer noted that no login credentials were affected, but that data exposed "potentially" included complete payment information: customer name, address, card number, expiration date and three-digit CVV security codes. Acer did not offer free credit monitoring to affected customers, but they did urge customers to file a police report if they suspected they were a victim of identity theft or fraud, as well as to contact their state attorney general's office or the U.S. Federal Trade Commission "to learn about steps you can take to protect yourself against identity theft."

Stephen Cobb, senior security researcher at ESET, said the exposure of not just the card numbers but expiration dates and CVV security codes puts affected customers in an unfavorable position. "The information that was exposed appears to be sufficient to attempt fraudulent online purchases which, if not detected as fraud during the transaction processing, would show up on the cardholder's account," Cobb said. "That would then need to be disputed."

[T]he length of time that the exposure went undetected is close to one year. That could mean Acer does not audit its systems more than once a year.
Stephen Cobbsenior security researcher, ESET

In addition, Cobb said the length of the Acer customer data breach suggests troubling lapses in Acer's enterprise security program. "The length of time that the exposure went undetected is close to one year," he said. "That could mean Acer does not audit its systems more than once a year."

Emard said that after the issue was identified, Acer "took immediate steps to fix the problem and are continuing to work with outside cyber security experts to enhance our security. We have reported this issue to our credit card payment processor. We also notified law enforcement, and offered our full cooperation. We have notified the approximately 34,500 customers whose information may have been affected by this incident. These customers are based in the U.S., Canada and Puerto Rico."

Acer included a "Resources Guide" with its breach notification letter, identifying additional resources, as well as urging their affected customers to "be vigilant by reviewing your account statements and monitoring your free credit reports."

"There is certainly value in credit monitoring," said Lysa Myers, security researcher at ESET. "But this doesn't mean using the service is the right choice for everyone in case of a breach. Whether you use it or not, I would strongly recommend that people still check their credit history regularly. In this case it might be a good idea to put a fraud alert or a credit freeze in place."

Cobb said it was possible only to speculate why "such a large company made such a large security error" in the absence of more details. However, he said "making computers and selling them through retail stores and distributors, which Acer has been doing for decades, does not require the same security skill set as selling products online, which the company has been doing for a much shorter period of time."

Next Steps

Learn more about some out-of-band security tips for credit card protection.

Read about how chip-and-PIN technology can boost payment card transaction security.

Find out more about solving tough PCI DSS compliance problems.

Dig Deeper on Data security breaches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

When was the last time your organization's e-commerce site was properly audited for security?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close