back to article You Acer holes! PC maker leaks payment cards in e-store hack

Acer's insecure customer database spilled people's personal information – including full payment card numbers – into hackers' hands for more than a year. The PC maker has started writing to customers [PDF] warning that their personal records were siphoned off from its online store by crooks between May 12, 2015 and April 28, …

  1. redpawn

    You would think...

    being in the computer industry that they would understand security but one after another computer manufacturer has blown security for quick roll out. Bad update software, drivers, security certificates, and data breaches leave no room for trust.

    Wipe your new machines and use as few manufacturer services and as little OEM software as possible.

  2. Captain Badmouth
    FAIL

    "We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts, as we obviously have no such expertise in-house" said Acer vice-president of customer service Mark Grovel and hide under."

    Only took 'em a year to find out, par for the course. What were we saying in another thread about peanuts and monkeys and outsourcing?

    1. Destroy All Monsters Silver badge

      outside cybersecurity experts

      Hopefully not one of the "cybersecurity" outfits taken down previously by actually skilled hackers.

  3. VinceH
    Unhappy

    "Acer did not say how many customers had their details swiped."

    Don't worry. I'm sure it will only be "a small number of people" who have been affected.

    1. Anonymous Coward
      Anonymous Coward

      ...by the 'sophisticated' hack....

  4. frank ly

    Storing CC security verification codes

    Is this allowed? It shouldn't be.

    1. Justin Pasher

      Re: Storing CC security verification codes

      Per PCI DSS section 3.2.2:

      Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

      This goes all the way back to PCI DSS 1.2 (2008). But hey, we like to treat them more like "guidelines" than rules.

      1. Oldfogey

        Re: Storing CC security verification codes

        Strictly not allowed to store the security code - but I come across companies that do it all the time. If I realise in time (usually on a phone transaction) I ask if they are doing so, and then cancel the transaction in a very pointed way - including reporting them,

        The SHOULD have their card-not-present permission removed, but I doubt it ever happens.

        1. Chris King

          Re: Storing CC security verification codes

          "Strictly not allowed to store the security code"

          They're allowed to store it up to the point the transaction is authorized, but not afterwards - not even if it is encrypted.

  5. Anonymous Coward
    Facepalm

    Personal records siphoned off from online store

    "The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards."

    Presumably the people that wrote the e-commerce platform couldn't figure out a way of defeating the build-in password salting-and-hashing functions of the Operating System. And given that I don't understand the intricacies of the modern online ecommerce platform, what was such information even doing being stored online unencrypted and in the clear.

    'no passwords or social security numbers were obtained by the thieves'

    Not exactly what they said:

    "we have not identified evidence indicating that password or login credentials were affected"

    What they should have said: If the 'cyber' thieves got hold of your encrypted password they could run it against a rainbow table and extract the plain text. If you use the same password here or elsewhere change the password immediatly.

    1. Tessier-Ashpool

      Re: Personal records siphoned off from online store

      This isn't necessarily what happened. It's possible that the attackers managed to do a bit of code injection on the app server so that any https responses got intercepted, processed and hijacked. All it takes is a custom module and minor config change on some systems. Maybe nothing at all to do with their database. That would explain why it only happened for a certain number of time-limited transactions.

      1. Mephistro

        Re: Personal records siphoned off from online store (@ Tessier-Ashpool)

        "That would explain why it only happened for a certain number of time-limited transactions."

        For "more than a year"???

  6. Stevie

    Bah!

    I hope visa and co hound these stupid, stupid people for all the costs incurred.

    How could anyone be so shit thick as to store the three digit security code when they've been told in as many words not to do so, and how could these stupid, stupid morons store any credit card information in an unencypted form?

    Who in god's name is doing their IT?

    It is beyond stupid. Radio waves take three hours to get from stupid to where these morons do business.

    Acer deserve to have their accreditation with whatever merchanting system is handling their transactions rescinded so they'll be forced to use a third party that understands the importance of protecting people's personal financial instruments to transact any sales.

    Good Christ Almighty on a crutch.

    1. GrumpenKraut
      Thumb Up

      Re: Bah!

      > Radio waves take three hours to get from stupid to where these morons do business.

      Quality rant!

      1. Stevie

        Re: Bah!

        Remember: when asking "why are my credit card charges and fees so high?" that the answer is "shit like unto that perpetrated by Acer's crack IT team".

        Who do you think ends up footing the bill for fraudulently lost funds?

        1. Barry Rueger

          Re: Bah!

          I'll hazard a guess that high credit card fees also reflect the greed that demands multi-billion dollar profits each quarter.

          Losses are likely insured.

    2. Mephistro
      Thumb Up

      Re: Bah!

      "Radio waves take three hours to get from stupid to where these morons do business."

      Straight to my quotes/scrap book, with attribution!

      1. Destroy All Monsters Silver badge
        Thumb Up

        Re: Bah!

        Fukken saved!

        There is a link for "Report abuse", but none for "Report excellent abuse". Pity.

  7. Wolfclaw

    Going to cost Acer a fair whack of change in compensation for any fraud, unless their lawyers have already come with with excuses to avoid liability, before making new public !!

  8. ecofeco Silver badge

    Another week another hack, yet again

    If it's Tuesday, this must be Belgium.

    That an old movie ref, BTW.

  9. MacNews

    Happens All The Time

    Acer mailed me a letter about this last week. This happens often in America, my card number had already been compromised through some other merchant, so this card is long gone.

    1. Brenda McViking
      Headmaster

      Re: Happens All The Time

      I'm afraid I take issue with your brutish command of the English language good sir. So naturally, after a cup of tea this fine morning, I have re-written it for you.

      Consider:

      Those devilish blighters working for Acer mailed sent me a letter about this last week via the outfit pretending to be Her Majesty's postal system that one uses here in the Americas. This happens so often in America the former colonies, my that of course one's card number had already been compromised prior, through some other merchant another scallywag masquerading as a purveyor of goods, so one took the liberty of disposing of this card is long gone quite some time ago as a suitable precaution. What?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like