Computer manufacturer Acer recently began notifying an undisclosed number of the company’s online customers that their credit card information may have been accessed by hackers.
Anyone who used Acer’s online store between May 12, 2015 and April 28, 2016 may be affected.
“We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts,” company vice president for customer service Mark Groveunder wrote in a notification letter [PDF] to those affected. “We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement.”
While no passwords appear to have been collected, the attackers were able to access names, addresses, credit card numbers, expiration dates and CVV codes.
Mark Bower, global director of product management for enterprise data security at HPE Security, told eSecurity Planet that no retailer should store credit card details, and no retailer should ever be storing CVV data in any form — solutions like end-to-end encryption and tokenization, Bower said, can easily protect sensitive data throughout the payment process.
“Thousands of leading merchants and well known name-brand online stores throughout the world have already adopted these approaches with great success, either on premises, or through payment processor services — with them, the risk of an attack being successful is absolutely minimized — attackers get nothing of value, just meaningless random data,” Bower said.
According to the Retail Edition of the 2016 Vormetric Data Threat Report, based on responses from 1,100 senior IT security executives at large enterprises worldwide including more than 100 at U.S. retail organizations, fully 89 percent of retailers feel vulnerable to data threats.
The report, issued in conjunction with 451 Research, also found that 51 percent of retailers have already experienced a data breach, with 21 percent having done so in the past year.
Retailers’ IT security spending priorities, the report found, are as follows: reputation and brand protection (55 percent), compliance (49 percent), best practices (37 percent), executive directive (35 percent) and preventing data breaches (31 percent).
Still, 61 percent are increasing spending to protect sensitive data, 55 percent are looking to implement data security for brand and reputation protection, and 44 percent plan to invest in data-at-rest defenses this year.
“The good news is that U.S. retailers are protecting data for the right reasons, and nearly half have a good track record of safeguarding sensitive data,” 451 Research senior analyst and report author Garrett Bekker said in a statement. “Protecting reputation and brand integrity was the top reason for securing sensitive information at 55 percent, and 44 percent claimed they had never experienced a data breach or failed a compliance audit.”
“But IT security spending plans tell another story,” Bekker added. “Spending on network defenses (55 percent) and endpoint and mobile device defenses (48 percent) are increasing faster than on security controls that are more effective at protecting data, data-at-rest defenses (44 percent) and data-in-motion defenses (42 percent).”
“Spending to protect data is increasing fastest in areas that have been shown to be ineffective at protecting against multi-stage attacks,” Bekker said. “Network defenses (65 percent) and endpoint and mobile device defenses (58 percent) still see the highest increase in spending, while approaches like data-at-rest defenses that have been proven to be effective at protecting data after perimeter defenses have been bypassed are at the bottom (48 percent).”
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.