Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acer Suffers Data Breach Through Online Store (itproportal.com)

Posted by msmash on from the another-day,-another-hack dept.

Sam Pudwell, writing for IT Pro Portal: Taiwanese hardware and electronics giant Acer has announced that it has suffered a data breach via its e-commerce site, and is preparing to inform those customers affected. Due to unauthorised access by a third-party, anyone who accessed the online store between 12 May, 2015 and 28 April, 2016 could have had their personal information compromised. Acer revealed that names, addresses, payment card numbers, card expiration dates and card security codes may have been accessed by the hackers but, following investigations by internal and external professionals, believes login details were not compromised.

16 of 32 comments (clear)

  1. Acer still around... by __aaclcg7560 · · Score: 1

    I thought Acer went out of business the same time as CompUSA did.

    1. Re:Acer still around... by __aaclcg7560 · · Score: 1

      And just about as useless.

  2. That's really reassuring! by aglider · · Score: 4, Funny

    believes login details were not compromised.

    I don't really care about "names, addresses, payment card numbers, card expiration dates and card security codes".
    All I need to live is my username and password at Acer shop! I'm a lucky guy!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  3. Card Security Codes? by Auction_God · · Score: 1

    Those should not have been stored on their system at all. It is against the agreement with the CC companies.

    1. Re:Card Security Codes? by Calydor · · Score: 1

      Depends on the kind of intrusion. If their e-commerce site essentially got turned into a keylogger, which seems likely given everything seems to have been taken except login details, then the security code gets grabbed just like all the other fields.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Card Security Codes? by aglider · · Score: 1

      Also storing CC numbers and details is something questionable.
      The only pros are for the seller, not for the buyer.
      And this case is clearly showing it. Once again.

      --
      Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    3. Re:Card Security Codes? by ColoradoAuthor · · Score: 1

      $50,000.00 per instance, is what MasterCard can fine a merchant for storing the security code. It's right there in the merchant agreement. Do you think they'll enforce that provision?

  4. according to acer by turkeydance · · Score: 1

    that is

  5. Re:Genius by Rashkae · · Score: 1

    It could have been much worse if all the people who re-use the same password had the credit card accounts accessed.

  6. Why Do Companies Insist... by Anonymous Coward · · Score: 1

    On storing Credit Card data? I once purchased from a tech outfit that stated up front they did not store credit card data. Once a transaction had been verified by the credit card company, the tech outfit deleted it from their secure sever. It was their stated opinion that the best way to protect (the customer's) credit card data was to not store it. If you don't have it, no one can steal it.

    1. Re:Why Do Companies Insist... by jenningsthecat · · Score: 1

      On storing Credit Card data?

      Not all companies do. For example, Digi-Key gives asks me if I want my CC data saved. Of course, I always decline.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    2. Re:Why Do Companies Insist... by gnasher719 · · Score: 1

      Not all companies do. For example, Digi-Key gives asks me if I want my CC data saved. Of course, I always decline.

      No decent company stores your credit card number. Ever. What they can do is exchange the credit card number into a token that allows them to move money from your account into theirs. If that token is stolen, the hacker cannot put any money into their account.

      Seems Acer is not a decent company.

    3. Re:Why Do Companies Insist... by twotacocombo · · Score: 1

      On storing Credit Card data?

      Refunds and reporting. You can't issue a refund without the card number. You certainly don't need to store the security code though, and if i remember correctly, you can still push a refund through with an invalid expiration date. The better question is why this information was stored unencrypted, and specifically in-house. When I was tasked with auditing the credit card software my company used, I was appalled by what I found. There was just no way to secure it, so we dumped it and went with an outside vendor, who does all the processing and storage for us on their website. That way, even if something is compromised, it isn't our ass in the wringer. As far as reporting goes, it's beneficial to at least see the last 4 digits so you can tell if someone is doing something shady, like splitting.

  7. Proof that IT security is still an illusion by ErichTheRed · · Score: 1

    I always used to think that large businesses, governments, etc. were incredibly careful with things they exposed to the Internet, and that breaches were mainly caused by unpatched vulnerabilities or just coding mistakes. However, when you see a breach that involves full credit card details being leaked, you can tell that a lot of the problem is a lack of standards. At least in the US, businesses aren't allowed to store or transmit card details unencrypted. I'll bet that data was never encrypted in the first place, or the keys were so poorly secured that they were easy to find once the attacker made it inside.

    I think one core problem is either a lack of standards, or relying too heavily on one standard. If you just let your developers go nuts and write their own transaction processing system 1990s-style, you can bet something will be missed. On the other hand, leaning too hard on a few established payment systems exposes you to unpatched, undiscovered flaws in them.

    The other thing companies need to stop doing is assuming their inside networks are totally safe. I've worked so many places where once you're in, you have full unrestricted access to anything. That requires a major shift in thinking, as many people are still of the mind that firewalls + DMZ + IDS at the front gates are all the company needs to be secure. You need to assume that people can get through all of that and make it difficult to reach critical systems even from inside.

  8. Not surprising for ACER by BoRegardless · · Score: 1

    Recent articles on the lack of security for their laptop hardware & OS/firmware (at the bottom of the pile of Windows laptops) indicates that ACER is simply not interested in security for its users.

    How long before users bail on ACER?

  9. Prison by jtownatpunk.net · · Score: 1

    When will someone go to prison for storing credit card information in plaintext? Put the VP in charge of that division in prison for 6 months and make the company pay restitution to the financial institutions that have to issue new cards with new account numbers. And $50 to each consumer because now they have to spend a couple hours updating their billing information with all of their online vendors.

    There's no excuse for this shit.