Acer agreed to pay $115,000 in penalties after a major data breach of its website exposed more than 35,000 credit card numbers.
An investigation by the New York Attorney General's office revealed sensitive customer information was not protected by Acer for almost a full calendar year.
"Businesses have a duty to protect their customers' personal information as securely as possible," NY AG Eric Schneiderman said in a statement. "Lax security practices like those we uncovered at Acer put New Yorkers' credit card information and other personal data at serious risk.
"That's unacceptable, and will change under the terms of our settlement today," he added.
The Taiwanese manufacturer in June revealed that a breach affected shoppers on Acer's US site between May 12, 2015, and April 28, 2016. But according to the AG's office, the infraction was much more serious.
An investigation revealed that Acer's e-commerce platform was left unencrypted from July 2015 to April 2016, and the company misconfigured its website to allow directory browsing by unauthorized users. The data wasn't encrypted because Acer left the system in a debug testing mode.
As a result, at least one attacker exploited website vulnerabilities and made hundreds of electronic requests for customer data between Nov. 11, 2015, and April 28, 2016. Sensitive information related to 35,071 people, including 2,250 New York residents, was stolen.
Related
- The 5 Worst Hacks and Breaches of 2016 and What They Mean for 2017The 5 Worst Hacks and Breaches of 2016 and What They Mean for 2017
This week's settlement requires Acer to increase its security and better protect consumer information by providing annual employee training as well as implementing and regularly testing safeguards. The electronics giant also agreed to maintain the data security standards required by the credit card industry.
"My office will continue to hold businesses accountable for protecting their customers' private information," Schneiderman said.
Acer did not immediately respond to PCMag's request for comment.