The French computer hardware company LaCie, perhaps best known for their external hard drives, announced this week it fell victim to a data breach that may have put at risk the sensitive information of anyone who has purchased a product off their website during the last year.
According to an incident notification posted today, an attacker used malware to infiltrate LaCie’s eCommerce website for almost a month, and in turn, glean customer information. Attackers had access from March 27, 2013 to March 10, 2014, but it wasn’t until last Friday when LaCie began to inform customers at risk.
In addition to its ubiquitous rugged orange external hard drives, LaCie, which is headquartered in Paris, also manufactures RAID arrays, flash drives, and optical drives.
The announcement warns that anyone who purchased an external hard drive or any form of LaCie hardware off of the company’s website during that time period may have had their data stolen. That information includes customers’ names, addresses, email addresses, as well as payment card information and card expiration dates.
While the company has hired a “leading forensic investigation firm” to continue looking into the technicalities of the breach – how many are affected, etc. – for the time being LaCie has suspended all online sales until they can “transition to a provider that specializes in secure payment processing services.”
A report from KrebsonSecurity.com last month speculated that the company’s storefront may have been hijacked by hackers using security vulnerabilities in Adobe’s ColdFusion development platform.
According to Krebs, LaCie’s eCommerce site was one of nearly 50 eCommerce websites spotted ensnared in a nasty ColdFusion botnet that was leaking consumer credit card information. The security reporter previously surmised that the hackers behind the botnet are the same attackers behind last year’s Adobe breach that leaked source code for Reader and ColdFusion, not to mention the personal information of millions of its customers.
At the time Clive Over, a spokesman for Seagate, who bought LaCie in 2012, told Krebs the company was not “aware that company or third party information was improperly accessed” when informed that one of its servers had been targeted and breached in 2013. Over went on to say that LaCie was “working with third party experts to do a deeper forensic analysis,” the same search that would eventually yield the breach’s discovery.
*Image via fncll‘s Flickr photostream, Creative Commons