LaCie admits year-long malware security breach; customer data at risk

Summary:Anyone who shopped for LaCie products in the last year could be at risk.

fd-laciesphere2

LaCie is the latest major retailer and tech company finding itself to be the target of a major security breach by unknown assailants.

The French hardware company confirmed in a statement on Tuesday that malware successfully made its way through to access sensitive customer information stemming from transactions on its website.

Here's where things get really bad: Virtually everyone who shopped on LaCie's website in the last year is at risk.

LaCie, of which American hard drive maker Seagate has a controlling stake, said it was informed about the breach on March 19, 2014 by the FBI.

But the hardware company speculated that all transactions between March 27, 2013 and March 10, 2014 were possibly affected.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach story last winter, reiterated on his security blog on Tuesday that he previously published evidence about the LaCie attack last month.

Krebs said that had the digital storefront had "been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software."

To recall, Adobe was hit by an attack last fall , leaving both customer information and source codes for numerous Adobe products vulnerable, including Adobe Acrobat, ColdFusion, and the ColdFusion Builder. In that case, although the original estimated number of accounts affected hovered under three million, the count was later updated to approximately 38 million . The ColdFusion holes have since been patched .

As for LaCie, customer names, addresses, email addresses, and payment card numbers and card expiration dates are all at risk as are usernames and passwords. LaCie asserted it already required users to reset their passwords.

LaCie said it started notifying affected customers via letter on April 11, 2014.

Along with the FBI, LaCie said it had tapped an unnamed forensic investigation firm to help with the investigation as well as deploy new security measures. In the meantime, LaCie has shuttered its digital store until the payments infrastructure can be fully secured.

CORRECTION: A previous edition of this post stated that LaCie is set to merge with Seagate. Seagate already completed the acquisition of a controlling share of LaCie stocks in 2012.

Topics: Security, E-Commerce, Hardware, Malware, Privacy

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.