Taiwanese computer manufacturer Acer suffered a breach of its U.S. e-commerce site that compromised credit card...
payment information for approximately 34,500 customers and lasted almost a full year before being detected.
While details of the customer data breach are still sketchy, the news broke after Acer filed a "Notice of Data Breach" letter with the California attorney general's office last week. Customers who used the Acer site between May 12, 2015 and April 28, 2016 were exposed. Acer identified a "security issue" that "resulted in unauthorized access by a third party," according to Mark Groveunder, vice president of customer service for Acer Service Corporation.
"Our team recently identified a security incident affecting the information of certain customers who used our U.S. e-commerce site," Lisa Emard, director of media relations for Acer America Corporation, told SearchSecurity. "As a result, an unauthorized third party was able to gain access to some transaction data, including credit card information, for certain customers who made a purchase on the site."
In the customer data breach notification letter, Acer noted that no login credentials were affected, but that data exposed "potentially" included complete payment information: customer name, address, card number, expiration date and three-digit CVV security codes. Acer did not offer free credit monitoring to affected customers, but they did urge customers to file a police report if they suspected they were a victim of identity theft or fraud, as well as to contact their state attorney general's office or the U.S. Federal Trade Commission "to learn about steps you can take to protect yourself against identity theft."
Stephen Cobb, senior security researcher at ESET, said the exposure of not just the card numbers but expiration dates and CVV security codes puts affected customers in an unfavorable position. "The information that was exposed appears to be sufficient to attempt fraudulent online purchases which, if not detected as fraud during the transaction processing, would show up on the cardholder's account," Cobb said. "That would then need to be disputed."
Stephen Cobbsenior security researcher, ESET
In addition, Cobb said the length of the Acer customer data breach suggests troubling lapses in Acer's enterprise security program. "The length of time that the exposure went undetected is close to one year," he said. "That could mean Acer does not audit its systems more than once a year."
Emard said that after the issue was identified, Acer "took immediate steps to fix the problem and are continuing to work with outside cyber security experts to enhance our security. We have reported this issue to our credit card payment processor. We also notified law enforcement, and offered our full cooperation. We have notified the approximately 34,500 customers whose information may have been affected by this incident. These customers are based in the U.S., Canada and Puerto Rico."
Acer included a "Resources Guide" with its breach notification letter, identifying additional resources, as well as urging their affected customers to "be vigilant by reviewing your account statements and monitoring your free credit reports."
"There is certainly value in credit monitoring," said Lysa Myers, security researcher at ESET. "But this doesn't mean using the service is the right choice for everyone in case of a breach. Whether you use it or not, I would strongly recommend that people still check their credit history regularly. In this case it might be a good idea to put a fraud alert or a credit freeze in place."
Cobb said it was possible only to speculate why "such a large company made such a large security error" in the absence of more details. However, he said "making computers and selling them through retail stores and distributors, which Acer has been doing for decades, does not require the same security skill set as selling products online, which the company has been doing for a much shorter period of time."
Learn more about some out-of-band security tips for credit card protection.
Find out more about solving tough PCI DSS compliance problems.