A major hardware maker has admitted to a nearly year-long credit card breach - just the latest in a string of companies that have suffered Adobe ColdFusion vulnerabilities-related exploits.
Security blogger Brian Krebs last month found evidence that the online store for computer hard drive maker LaCie had been infiltrated and that customers' credit card numbers and contact information had been exposed.
Specifically, Krebs found LaCie.com listed in the control panel of a botnet of hacked ecommerce sites.
Nope, LaCie said at the time, we engaged third-party security firms and are investigating, but so far, we haven't found evidence of such.
Now, we can scratch that. Evidence has been found that the data was indeed exposed for the better part of a year, the company acknowledged in a statement sent to Krebs on Monday.
The statement came from Clive J. Over, a spokesman for Seagate, which now owns LaCie.
According to Over, the breach may have exposed credit card transactions and customer information for nearly a year, beginning 27 March, 2013 and on up until 10 March, 2014.
The possibly breached information includes name, address, email address, payment card number and card expiration date for transactions made between those dates.
Over didn't disclose the number of affected records, if the company even knows that yet.
LaCie is moving to a provider that specializes in secure payment processing, he said, and has temporarily shuttered the ecommerce portion of its site during the transition.
The company sent notifications to possibly-affected individuals and is working with credit card companies and federal authorities as they continue to investigate.
According to Krebs, the same gang who went after LaCie has been exploiting the ColdFusion vulnerabilities at a long list of other companies, stealing enormous treasure troves that contain tens of millions of records.
Between the gang Krebs has been following and the alleged antics of Anonymous-affiliated Lauri Love - a British man who in October 2013 was charged with hacking into computer systems of the US army, NASA and many other federal agencies - these are organizations that intruders have exploited via ColdFusion holes:
- Smuckers, a US jam/jelly maker
- The US credit card processor SecurePay
- Government sites including the US Department of Health and Human Services, the US Sentencing Commission, the Department of Energy, the National White Collar Crime Center and the Regional Computer Forensics Laboratory
- The mother of all ColdFusion-related break-ins, Adobe, which lost not only Adobe IDs, encrypted passwords, customer names, encrypted debit and credit card numbers, expiry dates and customer order details for 38 million users, but also source code for its top selling software, including ColdFusion, Adobe Reader/Acrobat/Photoshop
- Data brokers LexisNexis, Dun & Bradstreet, and Kroll
- French car maker Citroën
Is that it? Is LaCie the last company to fall?
These gangs' operations have been operating into 2014, and as LaCie's example shows, firms are just now finding evidence of exploits.
Krebs found dozens of other online shops listed on the botnet control panel he's examined, the cached page for which dates to August 2013.
When he wrote about it in March, some of the companies hadn't yet responded.
So once again, we're going to have to stay tuned. So far, we haven't seen any shortage of breach news relating to this gang and the ColdFusion vulnerabilities, and there's no reason to expect that we will in the near future.
If you've been shopping online at LaCie in the months it was vulnerable, you might want to check your credit card transactions for fishy activity.
Of course, given that Heartbleed-victimized companies have just this past week begun to find and announce their own data exploits, the advice to keep an eye on your credit history goes for us all, regardless of where we shop online, whether for hardware, a cute French car, sweet stuff to spread on our toast or fill in the blank.