Acer fined US$115,000 for security breach

By on
Acer fined US$115,000 for security breach

Following a breach, the Taiwan-based computer manufacturer Acer will pay US$115,000 and improve its security practices in a settlement with the New York State Attorney General Eric T. Schneiderman. 

The breach, first reported in June 2016, included personally identifiable information (PII) – including names, addresses, email addresses, card numbers, expiration dates, security codes and user names and passwords – and was accessed over a one-year period, May 2015 through April 2016. The PII of more than 35,000 Acer customers across the US, Canada and Puerto Rico was compromised, including more than 2,200 in New York State.

An investigation by the NYSAG office found that the data was exposed owing to its being stored in an unsecured format, if debugging mode was enabled on the e-commerce platform. Acer misconfigured its e-commerce platform enabling directory browsing by unauthorised users. The AG's investigation determined that "at least one attacker exploited Acer website vulnerabilities to view and ex-filtrate sensitive customer data."

In addition to the fine, terms of the settlement require Acer to take a number of steps to bolster its data security practices. This includes:

  • Designating an employee to coordinate and supervise privacy and security of personal information; training employees, particularly those handling PII
  • Responding to network anomalies, including unauthorised acquisition, access, use or disclosure of personal information
  • Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multifactor authentication
  • Regular testing of the effectiveness of the safeguards' key controls, systems and procedures;
  • Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement.

The computer manufacturer as well agreed to adhere to the data security standards mandated by the credit card industry.

“Businesses have a duty to protect their customers' personal information as securely as possible,” said Schneiderman in a statement.

“Lax security practices like those we uncovered at Acer put New Yorkers' credit card information and other personal data at serious risk. That's unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers' private information."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

How do you feel about Telstra's new services play?
Telstra has become a direct threat - we'll only work with other carriers
We can live with this - we'll still use Telstra networks
This is an opportunity for us - customers liked working with Telstra's sub-brands
This changes nothing - Telstra was always a competitor
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?