LaCie admits year-long malware security breach; customer data at risk

Anyone who shopped for LaCie products in the last year could be at risk.


LaCie is the latest major retailer and tech company finding itself to be the target of a major security breach by unknown assailants.

The French hardware company confirmed in a statement on Tuesday that malware successfully made its way through to access sensitive customer information stemming from transactions on its website.

Read this

Price, set, match: Target's new weapon to beat 'key online retailers'

It looks like Target is going to try to beat Amazon at its own game.

Read More

Here's where things get really bad: Virtually everyone who shopped on LaCie's website in the last year is at risk.

LaCie, of which American hard drive maker Seagate has a controlling stake, said it was informed about the breach on March 19, 2014 by the FBI.

But the hardware company speculated that all transactions between March 27, 2013 and March 10, 2014 were possibly affected.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach story last winter, reiterated on his security blog on Tuesday that he previously published evidence about the LaCie attack last month.

Krebs said that had the digital storefront had "been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software."

To recall, Adobe was hit by an attack last fall , leaving both customer information and source codes for numerous Adobe products vulnerable, including Adobe Acrobat, ColdFusion, and the ColdFusion Builder. In that case, although the original estimated number of accounts affected hovered under three million, the count was later updated to approximately 38 million . The ColdFusion holes have since been patched .

As for LaCie, customer names, addresses, email addresses, and payment card numbers and card expiration dates are all at risk as are usernames and passwords. LaCie asserted it already required users to reset their passwords.

LaCie said it started notifying affected customers via letter on April 11, 2014.

Along with the FBI, LaCie said it had tapped an unnamed forensic investigation firm to help with the investigation as well as deploy new security measures. In the meantime, LaCie has shuttered its digital store until the payments infrastructure can be fully secured.

CORRECTION: A previous edition of this post stated that LaCie is set to merge with Seagate. Seagate already completed the acquisition of a controlling share of LaCie stocks in 2012.