Hardware maker LaCie admits to year-long credit card breach

Filed Under: Adobe, Data loss, Featured, Security threats

LaCie leak. Image courtesy of ShutterstockA major hardware maker has admitted to a nearly year-long credit card breach - just the latest in a string of companies that have suffered Adobe ColdFusion vulnerabilities-related exploits.

Security blogger Brian Krebs last month found evidence that the online store for computer hard drive maker LaCie had been infiltrated and that customers' credit card numbers and contact information had been exposed.

Specifically, Krebs found LaCie.com listed in the control panel of a botnet of hacked ecommerce sites.

Nope, LaCie said at the time, we engaged third-party security firms and are investigating, but so far, we haven't found evidence of such.

Now, we can scratch that. Evidence has been found that the data was indeed exposed for the better part of a year, the company acknowledged in a statement sent to Krebs on Monday.

The statement came from Clive J. Over, a spokesman for Seagate, which now owns LaCie.

According to Over, the breach may have exposed credit card transactions and customer information for nearly a year, beginning 27 March, 2013 and on up until 10 March, 2014.

The possibly breached information includes name, address, email address, payment card number and card expiration date for transactions made between those dates.

Over didn't disclose the number of affected records, if the company even knows that yet.

LaCie is moving to a provider that specializes in secure payment processing, he said, and has temporarily shuttered the ecommerce portion of its site during the transition.

The company sent notifications to possibly-affected individuals and is working with credit card companies and federal authorities as they continue to investigate.

According to Krebs, the same gang who went after LaCie has been exploiting the ColdFusion vulnerabilities at a long list of other companies, stealing enormous treasure troves that contain tens of millions of records.

ColdFusionBetween the gang Krebs has been following and the alleged antics of Anonymous-affiliated Lauri Love - a British man who in October 2013 was charged with hacking into computer systems of the US army, NASA and many other federal agencies - these are organizations that intruders have exploited via ColdFusion holes:

  • Smuckers, a US jam/jelly maker
  • The US credit card processor SecurePay
  • Government sites including the US Department of Health and Human Services, the US Sentencing Commission, the Department of Energy, the National White Collar Crime Center and the Regional Computer Forensics Laboratory
  • The mother of all ColdFusion-related break-ins, Adobe, which lost not only Adobe IDs, encrypted passwords, customer names, encrypted debit and credit card numbers, expiry dates and customer order details for 38 million users, but also source code for its top selling software, including ColdFusion, Adobe Reader/Acrobat/Photoshop
  • Data brokers LexisNexis, Dun & Bradstreet, and Kroll
  • French car maker Citroën

Is that it? Is LaCie the last company to fall?

That's doubtful.

These gangs' operations have been operating into 2014, and as LaCie's example shows, firms are just now finding evidence of exploits.

Krebs found dozens of other online shops listed on the botnet control panel he's examined, the cached page for which dates to August 2013.

When he wrote about it in March, some of the companies hadn't yet responded.

So once again, we're going to have to stay tuned. So far, we haven't seen any shortage of breach news relating to this gang and the ColdFusion vulnerabilities, and there's no reason to expect that we will in the near future.

If you've been shopping online at LaCie in the months it was vulnerable, you might want to check your credit card transactions for fishy activity.

Of course, given that Heartbleed-victimized companies have just this past week begun to find and announce their own data exploits, the advice to keep an eye on your credit history goes for us all, regardless of where we shop online, whether for hardware, a cute French car, sweet stuff to spread on our toast or fill in the blank.

Image of water drop courtesy of Shutterstock.

, , ,

You might like

2 Responses to Hardware maker LaCie admits to year-long credit card breach

  1. Spryte · 197 days ago

    Any evidence to show if users of their Wuala Cloud Storage Service were in this compromised group?

    >>>" given that Heartbleed-victimized companies have just this past week begun to find and announce their own data exploits"<<<

    I doubt very much that we will ever see more that the tip of that iceberg...

  2. Lisa Vaas · 196 days ago

    The company didn't mention Wuala Cloud Storage Service (please do bear in mind that Naked Security suggests you swap the term "cloud" for "on somebody else's computer"). As far as what we've heard so far, the online transactions are what were affected. LaCie didn't say anything about Wuala, nor did Brian Krebs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.