acer You Acer Holes! PC Maker Leaks Payment Cards In E-store Hack

[vissha]

You Acer Holes! PC Maker Leaks Payment Cards In E-store Hack

 

 

Lost info includes names, addresses, numbers and security codes

 

Acer's insecure customer database spilled people's personal information – including full payment card numbers – into hackers' hands for more than a year.

 

The PC maker has started writing to customers [PDF] warning that their personal records were siphoned off from its online store by crooks between May 12, 2015 and April 28, 2016.

 

Acer did not say how many customers had their details swiped.

 

The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards. Acer says that no passwords or social security numbers were obtained by the thieves, which will be of no comfort whatsoever to the victims.

 

"We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts," said Acer vice-president of customer service Mark Groveunder.

 

"We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement."

 

Acer urges customers who suspect their card numbers are being used for fraudulent charges to file reports with the police.

 

"If you suspect that you are a victim of identity theft or fraud, you have the right to file a police report," Groveunder added in the letter.

 

"In addition, you may contact your State Attorney General’s office or the US Federal Trade Commission to learn about steps you can take to protect yourself against identity theft."

 

Acer did not say if will be providing identity protection services to the folks whose payment card information it lost. The Taiwanese giant has since addressed the security vulnerability that allowed hackers to access its ecommerce website's database.

 

"We regret this incident occurred, and we will be working hard to enhance our security," Groveunder said.

 

Acer told El Reg its EMEA store was unaffected. "Customers in EMEA are not impacted since we have a different security and payment system for our ecommerce stores in the UK, France and Italy. In addition our ecommerce stores in those countries only went live approximately one month ago," a spokesperson said.

 

Source

[straycat19]

7 hours ago, vissha said:

We took immediate steps to remediate this security issue upon identifying it

 

And it took a YEAR to identify it.  Speaks loads about the quality of the sysadmins and security personnel and of a company who would even keep all that data on file.  More and more I see small businesses who are stating they don't keep credit card information once the payment is made.  One company I know (tire dealership)  will only keep their business customers charge information physically written on paper,  placed in a lockbox and then placed in an in-floor safe set in concrete.  Normal customers data is deleted as soon as the charge completes.  I wish all stores would do that.  Problem is people are getting so lazy they don't even want to type their card information in when they order something.  So what is seen as a convenience can cost them hundreds of hours on the phone and writing letters trying to get their identity and finances fixed when their data is stolen.  Some people (referred to as horror stories) have spent years trying to get it straight and haven't been able to do so.  If you have ever dealt with one of the credit tracking entities you will know what I mean.  One of them has my middle initial wrong and has an address listed for me where one of my ex-wives and her new husband live.  I told them about it 15 years ago and they refused to remove the data.  The only good thing is any mail I get with the wrong middle initial I just toss out because it had to come from them selling my name and address.