Acer has been penalized for a massive amount of $115,000 after a glitch in the system exposed thousands of customers' personal information. The leak was caused when the company's website misconfigured and left its customers privy to hackers.
The security breach occurred in June last year when the company announced that a breach in online storefront pertaining to North America resulted in the compromise of thousands of users' data. In recent updates regarding the matter, the New York attorney general's office confirmed that the company would be paying the heavy fee in penalties.
The decision was made after the attorney general's office investigated the matter and found the Acer technical support team responsible for serious security errors. According to Engadget reports, the discovery showed that the debugging mode was enabled on the e-commerce platform of the company between July 2015 and April 2016.
This setting resulted in all of the clients' personal data provided via the website's forms to be saved on a plain-text log file which was unencrypted. The information provided credit card details, full names, user names, verification numbers, passwords for email addresses and even the website as well as ZIP codes and complete street addresses.
Undoubtedly, customers would be required to enter this data in order to carry out transactions on the portal. However, it is easy to imagine how acts of fraud could be committed by malicious entities by use of this information. Additionally, a confirmation proves that the Acer website was misconfigured in order to allow unauthorized users to browse the directory.
Attackers and hackers could easily access the subdirectories from any web browser as stated in the release published by the attorney general's office. The investigation also showed that the breach caused the stealing of 35,000 users' information from Canada, the United States, and Puerto Rico. It is confirmed that at least one hacking group has exploited the vulnerabilities of the site to collect data between Nov. 2015 and April 2016.
In addition to the $115,000 settlement, the company will also be required to enforce multiple new security policies in order to ensure that prior mistakes are not repeated.
