Intruders gained access to Acer customer data via a third-party payment processing system If you live in the U.S. or Canada and purchased an Acer device from the company within the last year from its online store, then your credit card information is likely in the hands of cyber thugs. According to a sample breach notification letter sent to the California Attorney General’s office, Acer said, “We recently identified a security issue involving the information of certain customers who used our ecommerce site between May 12, 2015 and April 28, 2016, which resulted in unauthorized access by a third party.”Mark Groveunder, Acer’s vice president of customer service, warned affected customers that the data stolen included names, addresses, credit card numbers as well the associated expiration date and three-digit CVV security code.The Taiwanese company said 34,000 customers across the U.S., Canada and Puerto Rico were affected. The company hired “outside cybersecurity experts” to investigate the breach, but at this time it does believe password or login credentials were stolen.Softpedia noted that Acer runs its store on the Magento Enterprise platform, but the security issue came from one of its third-party payment processing systems. The company “took steps to remediate the issue, and later notified the credit card payment processor.” It also offered to fully cooperate with federal law enforcement. Hacking a company via a third party is nothing new. Javvad Malik, security advocate at AlienVault, told IBTimes, “Attackers will choose the path of least resistance to get into a company—and if it is well-secured, then this path will usually be through a third party that has legitimate access. Having an appropriate supplier security assurance framework in place that sets the requirements for a third party and also the ongoing controls is essential.”Acer is not offering free credit monitoring or identity protection services, but it advised affected customers of their right to file a police report, contact their State Attorney General’s office or the Federal Trade Commission.The letter also contained a “resource guide” about how to place a fraud alert for identity theft or a security freeze on credit files. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe