Following a breach, the Taiwan-based computer manufacturer Acer will pay US$115,000 and improve its security practices in a settlement with the New York State Attorney General Eric T. Schneiderman.
The breach, first reported in June 2016, included personally identifiable information (PII) – including names, addresses, email addresses, card numbers, expiration dates, security codes and user names and passwords – and was accessed over a one-year period, May 2015 through April 2016. The PII of more than 35,000 Acer customers across the US, Canada and Puerto Rico was compromised, including more than 2,200 in New York State.
An investigation by the NYSAG office found that the data was exposed owing to its being stored in an unsecured format, if debugging mode was enabled on the e-commerce platform. Acer misconfigured its e-commerce platform enabling directory browsing by unauthorised users. The AG's investigation determined that "at least one attacker exploited Acer website vulnerabilities to view and ex-filtrate sensitive customer data."
In addition to the fine, terms of the settlement require Acer to take a number of steps to bolster its data security practices. This includes:
- Designating an employee to coordinate and supervise privacy and security of personal information; training employees, particularly those handling PII
- Responding to network anomalies, including unauthorised acquisition, access, use or disclosure of personal information
- Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multifactor authentication
- Regular testing of the effectiveness of the safeguards' key controls, systems and procedures;
- Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement.
The computer manufacturer as well agreed to adhere to the data security standards mandated by the credit card industry.
“Businesses have a duty to protect their customers' personal information as securely as possible,” said Schneiderman in a statement.
“Lax security practices like those we uncovered at Acer put New Yorkers' credit card information and other personal data at serious risk. That's unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers' private information."