A.G. Schneiderman Announces Settlement With Computer Manufacturer After Data Breach Exposed More Than 35,000 Credit Card Numbers

Acer Service Corporation Must Pay $115,000 In Penalties And Reform Data Security Practices

Attorney General Eric T. Schneiderman recently announced a settlement with Acer Service Corporation (“Acer”), a computer manufacturer based in Taiwan, after a data breach of its website exposed over 35,000 credit card numbers. An investigation by the A.G.’s office revealed that sensitive Acer customer information was not protected by Acer for almost a full calendar year. Acer has agreed to pay $115,000 in penalties and to shore up its data security practices.

“Businesses have a duty to protect their customers’ personal information as securely as possible,” said Attorney General Schneiderman. “Lax security practices like those we uncovered at Acer put New Yorkers’ credit card information and other personal data at serious risk. That’s unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers’ private information.”

Acer manufactures computers and other electronics and sells them through various channels including through its website http://us-store.acer.com (“acer.com”). In January 2016, Discover Card analyzed hundreds of fraudulent credit card transactions on the website and determined that Acer was the last merchant where a legitimate transaction took place. This is known as a “common point of purchase” and indicates that Acer was the target of a cyber-attack resulting in a compromise of credit card information.

The subsequent investigation revealed that at least one attacker exploited Acer website vulnerabilities to view and ex-filtrate sensitive customer data. Between November 11, 2015 and April 28, 2016, the attacker(s) made hundreds of electronic requests for customer data. In all, sensitive data related to 35,071 people, including 2,250 New York residents, was stolen.

Acer’s website contained numerous vulnerabilities. For example, between July 4, 2015 and April 28, 2016, an Acer employee enabled debugging mode on Acer’s e-commerce platform. Debugging mode is a setting that stores all data transferred through a website into a log file in plain text format to troubleshoot the website prior to launch, or otherwise when it is offline and not processing customer transactions.

During this time, the website saved all the information provided by the customers in unencrypted plain text form to a log file. This information included first and last name; credit card number, expiration date and verification number (CVN); website user name and password; email address; and street address including city, state and zip code.

Additionally, Acer misconfigured its website to allow directory browsing by unauthorized users. This misconfiguration allowed the attacker(s) to view and access subdirectories on the website using a simple web browser.

As a result of the security vulnerabilities described above, significant amounts of sensitive Acer customer information was not protected for almost a full calendar year.

The settlement requires Acer to maintain reasonable security policies designed to protect consumer personal information including:

1. Designation of an employee(s) to coordinate and supervise its program designed to protect the privacy and security of personal information;
2. Designation of an employee(s) to be notified whenever any personal information is saved to, or stored on, Acer’s file system in unencrypted form;
3. Annual employee training to at a minimum inform employees who are responsible for handling personal information about data security, the importance of consumer privacy and their duty to help maintain its integrity;
4. Responding to events involving unauthorized acquisition, access, use or disclosure of personal information including training all staff who are responsible for inputting, entering, maintaining, storing or transferring personal information on data breach notification law;
5. Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure, misuse, copying, alteration, destruction, or other compromise of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;
6. Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multi-factor authentication for remote access to Acer computer systems; implementation of an intrusion detection system; and penetration testing (at least annually) and vulnerability assessments (at least quarterly);
7. Regular testing of the effectiveness of the safeguards’ key controls, systems, and procedures; and
8. Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.

Acer has also agreed to maintain the data security standards required by the credit card industry.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Aaron Chase, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.