Hard drive specialist LaCie has admitted a data breach that exposed customer emails and passwords – and the attack went undetected for an entire YEAR. Potential victims have been notified, but the scale and damage of the attack are yet to be assessed.
The computer storage specialists LaCie, makers of popular detachable hard drives and USB devices, has admitted to a major data breach in which credit card details and passwords of shoppers may have leaked.
In a statement, the French company said that an unknown attacker may have used malware to penetrate its online store. At the time of writing, it’s still unclear whether the leaked data has been used – or how many customers have been affected.
The LaCie breach is one of the longer-lasting ones among the spate of such recent attacks, with the leak extending from March 2013 to 10 March this year, according to LaCie.
The company said that it had notified potential victims via email, and was working closely with credit card companies and law enforcement to deal with the breach. In a statement, the company also said that it had suspended trading until improved security measures were implemented.
The BBC’s report said that for such a major breach to go unnoticed for so long was unusual. It also said that the breach could be particularly damaging as LaCie sold some security products, and a breach of this scale could damage its reputation.
Veteran security researcher and writer, and We Live Security contributor, Graham Cluley says, “In an ideal world, attacks get prevented in the first place and you have done enough work to secure your website and maybe hired some penetration testers to see if there are vulnerabilities.”
“If you can’t prevent it in the first place, hopefully you can pick it up while it’s occurring and deflect it. Clearly LaCie did fail in some way. They should have spotted something was happening.”
Speaking to the BBC, “It is a major breach,” said Ron Austin, senior lecturer in computer security at Birmingham City University.
“LaCie is a fairly big company and you would question their information security policies.
“No expert can guarantee 100% security, but it goes back to compliance and ensuring that if you’re offering services out on to the web that you are carrying out regular checks.”
LaCie responded quickly with a statement saying, “On March 19, 2014, LaCie USA, a subsidiary of Seagate, found indications that an unauthorized person used malware to gain access to information from customer transactions made through LaCie’s website. The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014.
“We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”