Acer Suffers Data Breach Through Online Store (itproportal.com)

← Back to Stories (view on slashdot.org)

Acer Suffers Data Breach Through Online Store (itproportal.com)

Posted by msmash on Friday June 17, 2016 @04:00AM from the another-day,-another-hack dept.

Sam Pudwell, writing for IT Pro Portal: Taiwanese hardware and electronics giant Acer has announced that it has suffered a data breach via its e-commerce site, and is preparing to inform those customers affected. Due to unauthorised access by a third-party, anyone who accessed the online store between 12 May, 2015 and 28 April, 2016 could have had their personal information compromised. Acer revealed that names, addresses, payment card numbers, card expiration dates and card security codes may have been accessed by the hackers but, following investigations by internal and external professionals, believes login details were not compromised.

32 comments

Min score:

Reason:

Sort:

Acer still around... by __aaclcg7560 · 2016-06-17 04:02 · Score: 1

I thought Acer went out of business the same time as CompUSA did.
1. Re:Acer still around... by Anonymous Coward · 2016-06-17 04:25 · Score: 0
  
  My last 3 desktops have been Acer.
2. Re:Acer still around... by Anonymous Coward · 2016-06-17 04:42 · Score: 0
  
  Whaddayaknow? AC is an ACer.
3. Re:Acer still around... by __aaclcg7560 · 2016-06-17 05:13 · Score: 1
  
  And just about as useless.
4. Re:Acer still around... by Anonymous Coward · 2016-06-17 09:19 · Score: 0
  
  My last 3 desktops have been Acer.
  Yeah, it's one of the few durable survivors in the PC industry. Has survived the likes of Gateway, Zeos, Micron, Midwest Micro and several other PC vendors from the 90s. This laptop that I'm typing this on is an Aspire E15
  I never got the idea of that bloatware. One can either buy apps via the Windows Store (which has been dying on my other Lenovo AIO), or download them directly from websites. In fact, that was where I downloaded my Office 365 from.
That's really reassuring! by aglider · 2016-06-17 04:07 · Score: 4, Funny

believes login details were not compromised.
I don't really care about "names, addresses, payment card numbers, card expiration dates and card security codes".
All I need to live is my username and password at Acer shop! I'm a lucky guy!

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Genius by Anonymous Coward · 2016-06-17 04:08 · Score: 0

So only names, addresses, payment card numbers, card expiration dates and card security codes were accessed? My login is safe? Nice!
Oh wait, why would they need the login when they already have every single data about me they want?
1. Re:Genius by Rashkae · 2016-06-17 04:12 · Score: 1
  
  It could have been much worse if all the people who re-use the same password had the credit card accounts accessed.
2. Re:Genius by Anonymous Coward · 2016-06-17 04:29 · Score: 0
  
  How many times do we have to remind you people?
  Do NOT reuse passwords.
  Do NOT reuse usernames.
  Do NOT reuse credit cards.
  Do NOT reuse credit card expiration dates.
  Do NOT reuse credit card security cards.
  Do NOT reuse addresses.
  Do NOT reuse names.
  Do NOT reuse birth dates.
  Do NOT reuse mother's maiden names.
  Do NOT reuse social security numbers.
Card Security Codes? by Auction_God · 2016-06-17 04:11 · Score: 1

Those should not have been stored on their system at all. It is against the agreement with the CC companies.
1. Re:Card Security Codes? by Anonymous Coward · 2016-06-17 04:25 · Score: 0
  
  ?
  PCI compliance is a thing?
2. Re:Card Security Codes? by Calydor · 2016-06-17 04:29 · Score: 1
  
  Depends on the kind of intrusion. If their e-commerce site essentially got turned into a keylogger, which seems likely given everything seems to have been taken except login details, then the security code gets grabbed just like all the other fields.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
3. Re:Card Security Codes? by aglider · 2016-06-17 04:29 · Score: 1
  
  Also storing CC numbers and details is something questionable.
  The only pros are for the seller, not for the buyer.
  And this case is clearly showing it. Once again.
  
  --
  Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
4. Re:Card Security Codes? by Anonymous Coward · 2016-06-17 05:10 · Score: 0
  
  It happens, though. I worked for an ISV that stored full billing name, CC number, expiration date, and CVV2 code in the database in cleartext despite multiple warnings against it by staff.
5. Re:Card Security Codes? by ColoradoAuthor · 2016-06-17 07:44 · Score: 1
  
  $50,000.00 per instance, is what MasterCard can fine a merchant for storing the security code. It's right there in the merchant agreement. Do you think they'll enforce that provision?
6. Re:Card Security Codes? by Anonymous Coward · 2016-06-18 22:52 · Score: 0
  
  Are you sure? I think they can store it in encrypted form using PCI-approved hardware encryption (e.g. an HSM).
  In any case, they should have used an HSM for encrypting all payment information on their database, whether they're allowed to store the security code or not.
according to acer by turkeydance · 2016-06-17 04:11 · Score: 1

that is
Why Do Companies Insist... by Anonymous Coward · 2016-06-17 04:12 · Score: 1

On storing Credit Card data? I once purchased from a tech outfit that stated up front they did not store credit card data. Once a transaction had been verified by the credit card company, the tech outfit deleted it from their secure sever. It was their stated opinion that the best way to protect (the customer's) credit card data was to not store it. If you don't have it, no one can steal it.
1. Re:Why Do Companies Insist... by Anonymous Coward · 2016-06-17 04:22 · Score: 0
  
  Because "studies" have shown that people have the attention span of a gnat and having to find their card and type all this information in means they won't.
2. Re:Why Do Companies Insist... by jenningsthecat · 2016-06-17 04:30 · Score: 1
  
  On storing Credit Card data?
  Not all companies do. For example, Digi-Key gives asks me if I want my CC data saved. Of course, I always decline.
  
  --
  'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
3. Re:Why Do Companies Insist... by gnasher719 · 2016-06-17 07:39 · Score: 1
  
  Not all companies do. For example, Digi-Key gives asks me if I want my CC data saved. Of course, I always decline.
  No decent company stores your credit card number. Ever. What they can do is exchange the credit card number into a token that allows them to move money from your account into theirs. If that token is stolen, the hacker cannot put any money into their account.
  
  Seems Acer is not a decent company.
4. Re:Why Do Companies Insist... by twotacocombo · 2016-06-17 08:46 · Score: 1
  
  On storing Credit Card data?
  Refunds and reporting. You can't issue a refund without the card number. You certainly don't need to store the security code though, and if i remember correctly, you can still push a refund through with an invalid expiration date. The better question is why this information was stored unencrypted, and specifically in-house. When I was tasked with auditing the credit card software my company used, I was appalled by what I found. There was just no way to secure it, so we dumped it and went with an outside vendor, who does all the processing and storage for us on their website. That way, even if something is compromised, it isn't our ass in the wringer. As far as reporting goes, it's beneficial to at least see the last 4 digits so you can tell if someone is doing something shady, like splitting.
Leave my bloatware alone by Anonymous Coward · 2016-06-17 04:16 · Score: 0

I honestly don't know how I could live without my trusty 15+ Acer bloatware applications on every new laptop.
1. Re:Leave my bloatware alone by Anonymous Coward · 2016-06-17 04:39 · Score: 0
  
  Why do you know what came installed on your laptop? You actually booted the pre-installed Windows? WTF for?
2. Re:Leave my bloatware alone by Anonymous Coward · 2016-06-17 09:30 · Score: 0
  
  Not everybody's gonna wipe it out and install Linux or BSD or Hackintosh
Proof that IT security is still an illusion by ErichTheRed · 2016-06-17 04:20 · Score: 1

I always used to think that large businesses, governments, etc. were incredibly careful with things they exposed to the Internet, and that breaches were mainly caused by unpatched vulnerabilities or just coding mistakes. However, when you see a breach that involves full credit card details being leaked, you can tell that a lot of the problem is a lack of standards. At least in the US, businesses aren't allowed to store or transmit card details unencrypted. I'll bet that data was never encrypted in the first place, or the keys were so poorly secured that they were easy to find once the attacker made it inside.
I think one core problem is either a lack of standards, or relying too heavily on one standard. If you just let your developers go nuts and write their own transaction processing system 1990s-style, you can bet something will be missed. On the other hand, leaning too hard on a few established payment systems exposes you to unpatched, undiscovered flaws in them.
The other thing companies need to stop doing is assuming their inside networks are totally safe. I've worked so many places where once you're in, you have full unrestricted access to anything. That requires a major shift in thinking, as many people are still of the mind that firewalls + DMZ + IDS at the front gates are all the company needs to be secure. You need to assume that people can get through all of that and make it difficult to reach critical systems even from inside.
Explain something to me, please by Anonymous Coward · 2016-06-17 04:27 · Score: 0

Credit card information only ever needs to travel from the customer via the web interface to the back end, never the other way around. Why is that information accessible from the web server AT ALL? Put a data diode between the web server and the back end. There should not be a way to get the credit card information even if every Russian hacker has completely rooted the web server.
Not surprising for ACER by BoRegardless · 2016-06-17 05:16 · Score: 1

Recent articles on the lack of security for their laptop hardware & OS/firmware (at the bottom of the pile of Windows laptops) indicates that ACER is simply not interested in security for its users.
How long before users bail on ACER?
CYBER 9/11 - wrap your mind around this folks! by Anonymous Coward · 2016-06-17 05:28 · Score: 0

In order to [falsely] justify increasing control over the Internet, actual US/EU Government programs headed by the CIA are in place to produce news stories of a multitude of hacks here and there. Breaches here and there. Leaks here and there. Make big stories, present the various agencies as heroes out to defend this terror and threat barrage.
Fact is: What did Ed Snowden say and why were they pissed about it? Did it go away? Did 9/11 WTC attacks not happen? Was this not a false flag on such a grand scale that it is incomprehensible any group would be that evil?
OK then why the gun law pressures in the United States all the while they let more and more foreigners in? Come to our terror party, come one come all?
This is precisely how it is.
1. Re:CYBER 9/11 - wrap your mind around this folks! by Anonymous Coward · 2016-06-17 05:31 · Score: 0
  
  In order to [falsely] justify increasing control over the Internet, actual US/EU Government programs headed by the CIA are in place to produce news stories of a multitude of hacks here and there. Breaches here and there. Leaks here and there. Make big stories, present the various agencies as heroes out to defend this terror and threat barrage.
  Fact is: What did Ed Snowden say and why were they pissed about it? Did it go away? Did 9/11 WTC attacks not happen? Was this not a false flag on such a grand scale that it is incomprehensible any group would be that evil?
  OK then why the gun law pressures in the United States all the while they let more and more foreigners in? Come to our terror party, come one come all?
  This is precisely how it is.
  Very true but this will likely get modded to -1 by Microsoft shills so it won't be scraped by Google and become searchable.
  They also have 1000's of people globally cooperating on corporate levels that scour message boards and forums.
Acer, nothing more needed to say by Anonymous Coward · 2016-06-17 07:29 · Score: 0

Acer is a technology company built on crummy cheap technology. Yea, they do make a couple nice notebooks. But in general they crank out crap for cheap.
Not surprising then Acer can't keep its store secure, or protect its customers. One common theme these days to protect yourselves. Is stop allowing browsers to store personal information and more important stop storing all your information on a online store server. You know these servers will be attacked, right?
Yea, I know it's a hassle typing all your information in every time. But it's also a hassle when your personal information ends up on a stolen data base too.
Prison by jtownatpunk.net · 2016-06-17 07:42 · Score: 1

When will someone go to prison for storing credit card information in plaintext? Put the VP in charge of that division in prison for 6 months and make the company pay restitution to the financial institutions that have to issue new cards with new account numbers. And $50 to each consumer because now they have to spend a couple hours updating their billing information with all of their online vendors.
There's no excuse for this shit.