Last June, Acer admitted that its website had suffered a data breach affecting an unspecified number of customers, which included the theft of credit card details. Now, the company has agreed a settlement with the New York Attorney General's office, following an investigation into the incident.
The investigation uncovered serious flaws in Acer's data management, noting that "sensitive customer information was not protected by Acer for almost a full calendar year". It also found that "Acer's website contained numerous vulnerabilities"; in a press release, the AG's office explained:
For example, between July 4, 2015 and April 28, 2016, an Acer employee enabled debugging mode on Acer’s e-commerce platform.
During this time, the website saved all the information provided by the customers in unencrypted plain text form to a log file. This information included first and last name; credit card number, expiration date and verification number (CVN); website user name and password; email address; and street address including city, state and zip code.
Additionally, the investigation revealed that Acer had "misconfigured its website to allow directory browsing by unauthorized users". The company was severely criticized for its security failings, which led to the personal data - including names, usernames and passwords, addresses, credit card details, and other information - of 35,071 people being compromised.
"Businesses have a duty to protect their customers’ personal information as securely as possible," said Attorney General Eric Schneiderman. "Lax security practices like those we uncovered at Acer put New Yorkers’ credit card information and other personal data at serious risk. That’s unacceptable, and will change under the terms of our settlement today. My office will continue to hold businesses accountable for protecting their customers’ private information."
Acer agreed to pay $115,000 in penalties, and committed to a range of improvements to boost its online security and data protection measures.