Acer spills user details Down Under
Breach plugged, customer warning fired out
A security breach uncovered last week left customers of Acer's Australian store able to see other user's order histories, complete with contact details. Credit card details were not disclosed but complete contact information (email and phone addresses) and detailed order information was left exposed. This data, samples of which have been seen by The Register, might be used by fraudsters posing as Acer to trick users into handing over sensitive bank or credit card payment details.
Acer said it has fixed the security bug, which it described as a one-off. It notified customers by email (reprinted below) of the breach warning users to contact Acer directly if they are phoned by anyone seeking their order or credit card details.
Des Paroz, Acer's director of e-commerce, told Australian IT that the security glitch was introduced when the site was upgraded three months ago. Acer only became aware of the problem when it was notified by IT security consultant Alex Lane. Lane is critical that Acer failed to take the site offline while it fixed the problem. Acer has promised to investigate its handling of the breach. ®
Dear valued Acer Customer,
This e-mail has been sent to advise you of a minor flaw we have picked up on our online order system. This flaw was brought to our attention by a Shop Acer customer who, when accessing their own order was able to view other Shop Acer orders.
This customer immediately brought it to our attention and the bug has now been fixed. We are not aware of any other occurrences of this flaw and we are confident that this was a once off.
As you may be aware Acer does NOT store any payment details online.
We would however like to advise you that if anyone calls you stating they are from Acer and they would like to clarify your order or credit card details please do not give them out and instead offer to call Acer directly on (02) 8762 3269.
We treat your privacy as an Acer customer very seriously and I'd like to take this opportunity to reassure you that your credit card details have not been compromised.
If you should have any question please feel free contact myself on [email address deleted]
Andy Liou National Marketing Manager Australia & New Zealand Phone: +612 8762 3000
Sponsored: Global DDoS threat landscape report