Taiwanese hardware and electronics company Acer will soon begin notifying customers of a data breach on its e-commerce website.
A sample breach notification letter warns that a third-party might have gained unauthorized access to information about customers who visited Acer’s e-commerce site between May 12, 2015 and April 28, 2016:
“Based on our records, we have determined that your information may have been affected, potentially including your name, address, card number ending in [insert], expiration date and three-digit security codes.”
There is some good news contained in the letter. Acer does not collect Social Security numbers, which means the unauthorized party had no way of compromising that particular piece of information.
Also, there is no evidence to suggest this breach has exposed users’ passwords or login credentials. (If only we could say the same about the born-again 2012 LinkedIn hack.)
But compromised payment card details are no laughing matter. Not only are they an inconvenience for users who must look out for fraudulent transactions and financial organizations that must replace the cards, but they’re also an increasingly common occurrence given today’s rise of third-party data breaches.
Javvad Malik of AlienVault clarifies this development for IBTimes UK:
“Breaches as a result of third parties are not something new. The nature of business today is that organisations rely on many partners and suppliers to provide services to their customers. However, this supply chain needs to be managed and secured appropriately. Attackers will choose the path of least resistance to get into a company – and if it is well-secured, then this path will usually be through a third party that has legitimate access. Having an appropriate supplier security assurance framework in place that sets the requirements for a third party and also the ongoing controls is essential.”
As companies like Acer take a closer look into their vendor security, all customers who suspect they might have been affected by the breach should file a police report and/or contact State Attorney General’s office or the US Federal Trade Commission to learn about they can protect themselves against identity theft.
At this time, Acer is not offering customers free identity protection services.
Let’s hope that decision reflects the presumed severity of the breach and not Acer’s willingness (or lack thereof) to help protect its customers.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.