Company says there’s no indication that customer information was accessed.
Acer's data breach.
Computer manufacturer Acer has confirmed that it sustained a data breach that resulted in the theft of company data.
Technical files stolen.
A hacker is offering 160GB of the stolen data for sale on a criminal forum, SecurityWeek reports. According to BleepingComputer, the hacker claims “the stolen data contains technical manuals, software tools, backend infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys.”
Acer said in a statement to SecurityWeek, “We have recently detected an incident of unauthorized access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server.”
Industry comments on the Acer breach.
Dror Liwer, co-founder of cybersecurity company Coro, commented that, while there may be no PII involved, the breach is a serious one nonetheless:
“While most data thefts we hear about include personally identifiable information or financial information, intellectual property is also high on the attackers list. It is just as important to protect file servers and storage platforms as it is databases. The main issue is that in order to adequately protect servers and file systems, more than one security tool needs to be deployed, adding to the complexity and resulting in potential blind spots that elude the security team.”
Erich Kron, security awareness advocate at KnowBe4, also noted that not all damaging breaches involve personal information:
“Not all data breaches need to contain personal information about customers or employees, or financial information such as credit cards, to be a concern. In this case Acer is potentially looking at the release of some of their intellectual property and potentially sensitive company documents. Organizations spend a lot of time and money developing proprietary procedures and processes, as well as technical information about their products. In the very competitive world of electronics and technology, this information can be very valuable to competitors, and the technical information may be very valuable to bad actors wishing to create exploits targeting the victims' products.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, points out that intellectual property in the wrong hands can lead to “peripheral danger:”
“The situation that Acer finds itself in highlights a peripheral danger in leaked or stolen enterprise data—the threat of intellectual property and other proprietary information falling into the wrong hands. Most businesses are rightly concerned first and foremost with maintaining data privacy and security with regards to their customers' data. Yet, hackers want to know more about the targeted companies themselves, knowledge such as trade secrets, corporate strategies, inventions, and any other bits of sensitive information which would create leverage in a ransom and blackmail situation.
“A cyberattack can also cause disruptions in a company's operations, resulting in decreased productivity and increased costs to recover from the attack. This can also lead to a loss of confidence from investors and stakeholders, who may see the company as a higher risk investment. So, while companies look to protect their customers' data in the best ways possible, with data-centric methods such as tokenization or format-preserving encryption, they also need to apply those controls to sensitive data about themselves. We all know that a company's most valuable asset is data, and that includes data about what they themselves are doing and bringing to market.”