Taiwanese electronics company Acer began sending letters to customers last week indicating that some of their sensitive financial information–credit card data included–may have been accessed over the last year or so.
Customers’ names, addresses, card numbers, expiration dates, and three digit CVV security codes may have been accessed by a third party, according to a data breach letter that the company is circulating to its customers. Anyone who purchased an item from Acer’s e-commerce site over the course of nearly a year, from May 12, 2015 to April 28, 2016, may be implicated, according to the company.
The letter, which includes a handful of options customers can take in wake of the breach – security freezes, fraud alerts, etc. – surfaced on the website for California’s Office of the Attorney General last week.
To quell customers’ fears, the company claims that usernames and passwords weren’t affected and that it doesn’t collect Social Security numbers. As a result of the breach, Acer said its “working hard to enhance” its security, adding that it regrets the incident occurred.
“We value the trust you place in us,” Mark Groveunder Vice President, Customer Service, Acer Service Corporation wrote, “We regret this incident occurred, and we will be working hard to enhance our security.”
Unfortunately for customers the rest of the letter is scant on details. It’s unclear how attackers were able to compromise the e-commerce site, if they had access for the entire May 2015-April 2016 span of time, or even if the information was encrypted. It’s also unclear whether Acer dismantled the e-commerce site following discovery the breach. Customers looking to purchase Acer products currently can’t do so through the site and instead are redirected to other online retailers.
The company did not on Monday immediately return a request for further comment but according to ZDNet, which cites a spokesperson with the company, roughly 34,500 customers based in the United States, Canada, and Puerto Rico, may be affected.
At worst, the attack could open thousands of Acer customers up to credit card fraud, as all the information that pertains to credit cards could easily be used to purchase items online.