[BreachExchange] Acer will pay $115K settlement following major security breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 27 13:58:10 EST 2017 

http://www.digitaltrends.com/computing/acer-settlement-security-breach/

In June 2016, Acer announced that a security breach pertaining to its
online storefront serving North America had resulted in thousands of users’
personal data being compromised. Now, the New York attorney general’s
office has confirmed that the company will pay $115,000 in penalties,
following an in-depth investigation into the error.

It’s been discovered that an Acer employee enabled debugging mode on the
company’s ecommerce platform between July 2015 and April 2016, according to
a report from Engadget. This setting caused all personal data provided by
customers via web forms to be saved to an unencrypted, plain-text log file.

The information offered up included full names, credit card numbers,
expiration dates, verification numbers, user names and passwords for the
site, email addresses, and full street addresses including ZIP codes.
Customers would obviously need to submit this data to carry out a
transaction on the website, but it’s easy to imagine how malicious entities
could use it to commit acts of fraud.

Furthermore, there’s confirmation that the Acer website was misconfigured
such that unauthorized users could browse its directory. Attackers could
access subdirectories from a web browser, according to a release published
by the attorney general’s office.

The investigation has found that 35,000 users based in the United States,
Canada, and Puerto Rico had their information stolen as a result of the
breach. At least one hacking group has been confirmed to have exploited the
site’s vulnerabilities to obtain this data between November 2015 and April
2016.

As well as the $115,000 settlement, Acer will be required to enforce
several new security policies intended to ensure that these mistakes aren’t
repeated. The company will have to deliver yearly employee training about
data security and customer privacy, and designate a specific employee to be
notified whenever customer data is stored without encryption, among a list
of other stipulations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170127/438b7d32/attachment.html>

More information about the BreachExchange mailing list