LaCie admits year-long malware security breach; customer data at risk

LaCie admits year-long malware security breach; customer data at risk

Summary: Anyone who shopped for LaCie products in the last year could be at risk.

SHARE:
fd-laciesphere2

LaCie is the latest major retailer and tech company finding itself to be the target of a major security breach by unknown assailants.

The French hardware company confirmed in a statement on Tuesday that malware successfully made its way through to access sensitive customer information stemming from transactions on its website.

Here's where things get really bad: Virtually everyone who shopped on LaCie's website in the last year is at risk.

LaCie, of which American hard drive maker Seagate has a controlling stake, said it was informed about the breach on March 19, 2014 by the FBI.

But the hardware company speculated that all transactions between March 27, 2013 and March 10, 2014 were possibly affected.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach story last winter, reiterated on his security blog on Tuesday that he previously published evidence about the LaCie attack last month.

Krebs said that had the digital storefront had "been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software."

To recall, Adobe was hit by an attack last fall, leaving both customer information and source codes for numerous Adobe products vulnerable, including Adobe Acrobat, ColdFusion, and the ColdFusion Builder. In that case, although the original estimated number of accounts affected hovered under three million, the count was later updated to approximately 38 million. The ColdFusion holes have since been patched.

As for LaCie, customer names, addresses, email addresses, and payment card numbers and card expiration dates are all at risk as are usernames and passwords. LaCie asserted it already required users to reset their passwords.

LaCie said it started notifying affected customers via letter on April 11, 2014.

Along with the FBI, LaCie said it had tapped an unnamed forensic investigation firm to help with the investigation as well as deploy new security measures. In the meantime, LaCie has shuttered its digital store until the payments infrastructure can be fully secured.

CORRECTION: A previous edition of this post stated that LaCie is set to merge with Seagate. Seagate already completed the acquisition of a controlling share of LaCie stocks in 2012.

Topics: Security, E-Commerce, Hardware, Malware, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Well I'd say...

    you'd think an IT related business would discover earlier that a breach occurred, but WOW! I thought Target was a jerk! But sheeze, I guess I won't say that! ]:)
    JCitizen
  • Investigation

    someone is investigating a class action lawsuit

    http://www.consumerclassactionlawyers.com/lacie-data-breach.html
    DLS21