Acer to Pay $115K in Penalties for Credit Card Security Breach

Thousands of user’s personal data was compromised back in June 2016 after an Acer employee enabled debugging mode on the company’s e-commerce platform for nearly a year, between July 2015 through April 2016. This was initially disclosed by the Taiwanese computer manufacturer to the California attorney general last year. When in debugging mode, data is stored in an unencrypted, plain-text log file whenever a transaction takes place. Information including full names, user names, e-mails, passwords, addresses, credit card numbers including expiration dates and verification were left exposed and as a result, 34,500 users from the United States and Canada had these information stolen when a hacking group took advantage of this vulnerability. Additional investigation also revealed that Acer’s website was misconfigured that unauthorized users could just browse its directory listing directly. Social security numbers were however, left secure.

The New York attorney general’s office has ordered Acer to pay $115,000 USD in penalties with the assurance that digital security will be further strengthened through enacting several new policies. This includes periodical employee training about data security and fail-safe notifications whenever data is stored unencrypted in their e-commerce system. While not nearly as severe as Yahoo! leaking over 500 million user data, it shows how a simple lapse of judgment can cause a major security concern and that sometimes the solution is also equally as simple. Acer’s quick disclosure after discovery and the fact that it was an honest mistake is most likely the reason why the penalties are not nearly as high compared to other companies’ security breaches.