Seagate’s LaCie Admits to Yearlong Breach of Customer Card Data
LaCie, the French hard drive company, admitted yesterday that it has suffered a significant breach of its e-commerce systems lasting nearly a year.
The company posted a notification to customers on its site yesterday saying that agents from the FBI had notified that someone had used malware to penetrate its systems and gain access to the credit card information of people buying hard drives on the site. The site has temporarily stopped taking orders.
First word of a possible attack came on March 17 when security blogger Brian Krebs published evidence that the site was among about four dozen that had been compromised by way of a flaw in ColdFusion, a Web application development platform from the software company Adobe.
The vulnerability allowed attackers to assemble a botnet, or group of remotely controlled computers that were, as Krebs describes it, “milked for customer credit card data.”
Among the other victims of the same vulnerability was Smucker’s, the U.S.-based purveyor of jams and jellies. ColdFusion vulnerabilities are central to the case of at least one person charged by prosecutors in the U.S. and the U.K. with breaking into the systems of the U.S. Federal Reserve and other government agencies.
LaCie said in its statement that it thinks customers who bought something on the site between March 27, 2013, and March 10 of this year are affected. Those customers were notified starting on April 11.
LaCie was acquired by hard drive giant Seagate in 2012. Its best known products are probably the orange-encased Rugged hard drives (an example pictured above) that are popular with Mac users.