Taiwanese tech giant Acer recently divulged details of an unauthorized access that siphoned out almost a year’s worth of names, addresses, and credit card credentials of users via its e-Commerce site. The breach, reports say, spanned 11 months, between May 12, 2015 and April 28, 2016, which put personal data of users who have accessed the site exposed to cybercriminals.
Reportedly, Acer has duly informed the attorney general of California of the incident but the multinational company has yet to issue an official statement and has not shared the number of affected customers. In a letter signed by Vice President for Customer Service, Mark Groveunder, shared by Softpedia, the company is said to be in the process of notifying over 34,500 customers believed to be directly affected by the said breach. These users are scattered in the United States (US), Canada, and Puerto Rico.
In it, the Acer Service Corporation spokesperson says, “Based on our records, we have determined that your information may have been affected, potentially including your name, address, card number ending in [insert], expiration date and three-digit security codes.” The letter assured that the company does not collect Social Security numbers and claimed that there is no acquired evidence showing a breach of login credentials like usernames and passwords. However, this has not been completely ruled out yet.
Acer notes that the security hole that led to the issue has already been identified and it was said to be rooted in a problem in one of its third-party payment-processing systems. Currently, the issue has already been brought to the attention of the credit card payment processor.
As of this writing, no further details have been disclosed by the company but Acer has assured that immediate steps have already been undertaken to mitigate the risks brought by the uncovered unauthorized access. The letter furthered that the company has been working hand in hand with law enforcement and an external cybersecurity team to look over the incident. As such, the letter adds, “We value the trust you place in us. We regret this incident occurred, and we will be working hard to enhance our security.”
The news came not long after the surfacing of news of sold user information in the cybercriminal underground that were said to have come from “historical hacks” that involve several well-known social media sites from Tumblr, LinkedIn, Fling, and even Myspace. Apart from these reported “mega-breaches”, last week, Canadian website aggregator, VerticalScope, also shared details of a breach that potentially exposed records of over 45 million members. While researchers have not created a link that connects these incidents with that of Acer’s, the rampancy of data breaches is a cause for concern for security experts and online users as it puts in question the level of trust users place in companies and online communities that house their personal information.
If the company’s initial look at the incident proves to be true, this would not be the first time that a third-party provider was used to compromise a target. At the onset of May 2016, payroll processing giant, ADP was put in the spotlight after a breach potentially exposed employee information of its client-base to identity theft and tax fraud. This surfaced after reports have been brought forward involving fraudulent activities made through the company’s self-service portal. Following the report of the breach, ADP shares have significantly dropped to about 0.7% while the confirmed affected party and client went down 1.3%.
In securing the enterprise, a more holistic approach should be employed to prevent cybercriminals from taking advantage of any form of security gap. This is not limited in the organization itself but also on the IT supply chains and contractors that could be potential weak points in the security of an organization.
In a statement, security advocate, Javvad Malik shared, “The nature of business today is that organizations rely on many partners and suppliers to provide services to their customers. However, this supply chain needs to be managed and secured appropriately,” he notes. “Attackers will choose the path of least resistance to get into a company – and if it is well-secured, then this path will usually be through a third party that has legitimate access.”
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).