The breach that compromised the information of nearly 34,500 Acer online shoppers was caused by the company "inadvertently" storing consumer data "in an unsecured format, the company reportedly told PCWorld.
As a result, a hacker obtained unauthorized access to the data between May 12, 2015 and April 28, 2016, and was able to access to names, addresses, card numbers, expiration dates and three-digit security codes, Acer said in a breach notification filed with the California Attorney General.
“Upon identifying this issue, we took immediate steps to fix the problem and are continuing to work with outside cyber security experts to enhance our security,” an Acer spokesperson told SCMagazine.com via email.
Acer subsequently notified law enforcement and those were affected.
Mark Bower, HPE global director of product management, told SCMagazine.com via emailed comments that there is no reason Acer needed to store payment card data in any form on their systems.
“Today, there are specific and simple to deploy technologies that mitigate the risk of cyber attacks to e-commerce sites,” he said. “Thousands of leading merchants and well-known, name-brand online stores throughout the world have already adopted these approaches with great success, either on premises, or through payment processors services – with them, the risk of an attack being successful is absolutely minimized – attackers get nothing of value, just meaningless random data.”
Bower added that tokenization is the de-facto approach to avoid cardholder data from needing to be stored while still letting analytics and applications function without live data risks
Acer sent a Notice of Breach letter to the affected customers.