The Federal Bureau of Investigation alerted the company on March 19 it had “indications that an unauthorized person used malware to gain access to information from customer transactions that were made through LaCie’s website,” according to a statement posted on LaCie.com.
Security writer Brian Krebs claimed to have notified Seagate, which acquired LaCie in 2012 but retained the brand name, of the breach on March 17 but was informed there was no evidence of such a breach. At the time, Krebs said attackers had gained illegal access to LaCie’s systems by exploiting vulnerabilities in Adobe’s ColdFusion web application development software. LaCie later confirmed to Krebs that attackers may have accessed customer information from March 27, 2013 to March 10, 2014.
Sensitive data such as customer names, addresses, email addresses, and payment card details such as credit and debit card numbers and expiration dates, may have been exposed in the breach, LaCie said. Attackers may also have accessed usernames and passwords for the LaCie website. Affected customers were notified on April 11.
Customers should check their credit card bills and bank statements for fraudulent activity, LaCie said.
The online store, accessible from LaCie.com, is currently unavailable and not accepting any transactions. The French company is currently transferring the e-commerce portion of its site to a provider specializing in secure payment processing services, and users will have to change their passwords after the transition is complete and the store comes back online, the company said.
It is unusual for a problem to go unnoticed for so long, although not unheard of. Last year’s Data Breach Investigations Report from Verizon’s RISK Team found that 67 percent of incidents take several months to be discovered, and nearly 70 percent find out about the breach from third parties such as law enforcement authorities.
Even so, customers should demand an explanation and ask “the company tough questions about why it didn’t spot the intrusion earlier, and whether it had put enough resources into properly penetration testing its site to find and resolve weaknesses,” said Graham Cluley, an independent security consultant.
LaCie’s current move to a secure payment processing provider is also worrisome. It is not clear whether the breach was related to the payment processing system. It is also not known whether this means payments in the past were not processed or stored securely.
This incident could be particularly damaging for LaCie’s brand as the company offers encryption and other security products for sale. Competitors shouldn’t feel smug, though.
“How confident can other organizations be that their systems have not been compromised, and that they have taken enough precautions to deflect intruders?” Cluley asked.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.