NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Acer Service Corporation (“Acer”), a computer manufacturer based in Taiwan, after a data breach of its website exposed over 35,000 credit card numbers. An investigation by the A.G.’s office revealed that sensitive Acer customer information was not protected by Acer for almost a full calendar year. Acer has agreed to pay $115,000 in penalties and to shore up its data security practices.
“Businesses have a duty to protect their customers’ personal information as securely as possible,” said Attorney General Schneiderman. “Lax security practices like those we uncovered at Acer put New Yorkers’ credit card information and other personal data at serious risk. That’s unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers’ private information.”
Acer manufactures computers and other electronics and sells them through various channels including through its website http://us-store.acer.com (“acer.com”). In January 2016, Discover Card analyzed hundreds of fraudulent credit card transactions on the website and determined that Acer was the last merchant where a legitimate transaction took place. This is known as a “common point of purchase” and indicates that Acer was the target of a cyber-attack resulting in a compromise of credit card information clomid tablets 100mg.
The subsequent investigation revealed that at least one attacker exploited Acer website vulnerabilities to view and ex-filtrate sensitive customer data. Between November 11, 2015 and April 28, 2016, the attacker(s) made hundreds of electronic requests for customer data. In all, sensitive data related to 35,071 people, including 2,250 New York residents, was stolen.
Acer’s website contained numerous vulnerabilities. For example, between July 4, 2015 and April 28, 2016, an Acer employee enabled debugging mode on Acer’s e-commerce platform. Debugging mode is a setting that stores all data transferred through a website into a log file in plain text format to troubleshoot the website prior to launch, or otherwise when it is offline and not processing customer transactions.
During this time, the website saved all the information provided by the customers in unencrypted plain text form to a log file. This information included first and last name; credit card number, expiration date and verification number (CVN); website user name and password; email address; and street address including city, state and zip code.
Additionally, Acer misconfigured its website to allow directory browsing by unauthorized users. This misconfiguration allowed the attacker(s) to view and access subdirectories on the website using a simple web browser.
As a result of the security vulnerabilities described above, significant amounts of sensitive Acer customer information was not protected for almost a full calendar year.
The settlement requires Acer to maintain reasonable security policies designed to protect consumer personal information including:
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Aaron Chase, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.