Storage specialist LaCie has warned customers of a major data breach that may have compromised their personal data used for purchases between March 2013 and 2014.
The hole in the company's servers is not, it has been quick to reassure customers, indicative of the security of its storage products in general; no customer data stored on the company's cloud services or network-connected storage devices is thought to be involved in the breach. Rather, the attack targeted the company's ecommerce system, making off with transaction information for purchases made in the last year.
'On March 19, 2014, the FBI informed LaCie that it found indications that an unauthorised person used malware to gain access to information from customer transactions that were made through LaCie's website,
' the company explained to customers in a statement
made nearly a month after it was alerted to the breach. 'We believe that transactions made between March 27, 2013 and March 10, 2014 were affected. The information that may have been accessed by the unauthorised person may include customers' names, addresses, email addresses, and payment card numbers and card expiration dates. Customers' LaCie website user names and passwords could also have been accessed, which is why we required a reset of all passwords.
LaCie has not confirmed how the data was stored; while credit card information should be encrypted, password are better stored as salted one-way hashes which become much harder for an attacker to crack. Either way, those with LaCie accounts are advised to change their passwords, both on the LaCie service itself and anywhere else where the same or similar password was used, and to keep a close eye on their credit card statements for unauthorised activity.
'As a precaution, we have temporarily disabled the ecommerce portion of the LaCie website while we transition to a provider that specialises in secure payment processing services,
' the company added. 'We will resume accepting online orders once we have completed the transition.