Taiwanese consumer electronics manufacturer Acer has revealed that its US online store Acer.com has suffered a data breach that potentially could have affected every single customer who accessed the website over the past 12 months.
Acer has sent a letter informing all users of its online store in the US that they have might have had their names, addresses, payment card numbers, card expiry dates and card security CCV three digit numbers comprised if they accessed the website between 12 May 2015 and 28 April 2016.
The firm is not revealing how many users have been impacted by the data breach, but it says that following an investigation by its staff and a team of outside cybersecurity experts, it can confirm that no evidence was found of the attackers gaining access to user login credentials like usernames and passwords. "Safeguarding your personal information is important to us. We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts. We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement," Acer wrote in the letter submitted to the California Attorney General's office.
"If you suspect that you are a victim of identity theft or fraud, you have the right to file a police report. In addition, you may contact your State Attorney General's office or the US Federal Trade Commission to learn about steps you can take to protect yourself against identity theft."
Acer is advising all users to review their payment account statements and to order a free credit report in order to make sure that they are not victims of identity theft or fraud, and customers are also encouraged to called Acer's US support centre if they have further enquiries. However, it should be noted that users outside the US who have used Acer's online store to purchase products or accessed the website with their accounts during the period listed would also be advised to check their records too.
"Breaches as a result of third parties are not something new. The nature of business today is that organisations rely on many partners and suppliers to provide services to their customers. However, this supply chain needs to be managed and secured appropriately," Javvad Malik, security advocate at AlienVault told.
"Attackers will choose the path of least resistance to get into a company – and if it is well-secured, then this path will usually be through a third party that has legitimate access. Having an appropriate supplier security assurance framework in place that sets the requirements for a third party and also the ongoing controls is essential."