LaCie admits to year-long credit card breach

French hardware company, now a Seagate subsidiary, says virtually everyone who shopped on LaCie's Web site in the last year is at risk.

Rachel King Staff Writer
Rachel King is a staff writer for ZDNet based in San Francisco.
Rachel King
2 min read

LaCie's 2big Thunderbolt drive isn't as fast as its smaller SSD cousin, the Little Big Drive, but it does offer 4 terabytes of capacity with dual 3.5-inch drives.
If you bought La Cie's Little Big Drive or anything else on the company's retail site, you're likely at risk. Stephen Shankland/CNET

LaCie is the latest major retailer and tech company finding itself to be the target of a major security breach by unknown assailants.

The French hardware company confirmed in a statement on Tuesday that malware successfully made its way through to access sensitive customer information stemming from transactions on its website.

Here's where things get really bad: Virtually everyone who shopped on LaCie's website in the last year is at risk.

LaCie, which is set to merge with American hard drive maker Seagate, said it was informed about the breach on March 19, 2014 by the FBI.

But the hardware company speculated that all transactions between March 27, 2013 and March 10, 2014 were possibly affected.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach story last winter, reiterated on his security blog on Tuesday that he previously published evidence about the LaCie attack last month.

Krebs said that had the digital storefront had "been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe's ColdFusion software."

To recall, Adobe was hit by an attack last fall, leaving both customer information and source codes for numerous Adobe products vulnerable, including Adobe Acrobat, ColdFusion, and the ColdFusion Builder. In that case, although the original estimated number of accounts affected hovered under three million, the count was later updated to approximately 38 million. The ColdFusion holes have since been patched.

As for LaCie, customer names, addresses, email addresses, and payment card numbers and card expiration dates are all at risk as are usernames and passwords could also have been accessed. LaCie asserted it already required users to reset their passwords.

LaCie said it started notifying affected customers via letter on April 11, 2014.

Along with the FBI, LaCie said it had tapped an unnamed forensic investigation firm to help with the investigation as well as deploy new security measures. In the meantime, LaCie has shuttered its digital store until the payments infrastructure can be fully secured.

This story originally appeared as "LaCie admits year-long malware security breach; customer data at risk" on ZDNet.