April 15, 2014

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.


53 thoughts on “Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

  1. TheOreganoRouter.onion.it

    This is how people end up on spammers list all of a sudden for no reason or explanation. It’s because large companies like this, that the end user has to suffer due to lapses in their security practices.

    1. SeymourB

      In ye olden days we used to create one-off email addresses for every website we gave email addresses to, so we could tell which one had misused our information for spam purposes. That technique could be useful in determining which website was compromised.

      Of course, you really need to own a domain for this technique to work, since you create aliases to your main mailbox and add a tag to each incoming message with the address it was sent to. The latter is necessary due to BCCs hiding the recipients email address.

      1. TheOreganoRouter.onion.it

        I know for a fact that I’ve given one of my email addresses to Lacie. I now worry that what ever one that was given to them will be sold multiple times to spammer groups which is not good.

        The real question is if a person signs up for web store account but doesn’t buy anything or just signs up for a newsletter, what information has the hacker obtained ? Email accounts? Log-in information , hashed and salted passwords?

        It will be a cold day in hell before I buy another external Lacie Drive

        1. Sarah Shrigley

          Why can’t LaCie take phone orders? My card was hacked because I bought a LaCie HDD online. NO MORE!

          1. Andre Friedmann

            I’ll second that motion, Shirley. I’ve had too much bad luck with LaCie’s products *and* their services. The latest bit of bad luck had me give LaCie a credit card number to expedite shipping on a warranty exchange LaCie had deliberately dragged its feet on for months. I had the bad luck of giving them my MasterCard only days before LaCie learned about the security breach!
            How about never doing business with them again? Is never too soon?

  2. Hackerproof??

    Thank you for being the eyes for all of us. I must admit that following your blog is more depressing than following the news of the world, but keep it up. Almost like you are the conscience of the web out there.

  3. Harry S

    So they have stolen presumably thousands of CC numbers with exp dates. Brian, how would these be “moved through the system”? You’ve shown for the Target breach and others how they end up for sale on a list on web sites.

    In this case, collecting cards slowly, would they be used and sold directly in small lots? Would they end up on an illegal card web site?

    Would there not have been a determinable common point of purchase pointing at LaCie much earlier? A year is a long time to be exposed.

    Thank you.

  4. Eddie M

    From a company that offers Wuala – the encrypted cloud storage, you would think that they would store customer information more securely.

    1. Robert.Walter

      For me this would be an indicator that their cloud may not be so secure.

      1. Infosec Geek

        Saw a recommendation on the Sophos blog that one way to clearly think about cloud computing is to replace the phrase “in the cloud” with the phrase “on someone else’s computer”.

        I’ll suggest focusing your risk analysis by prepending the phrase “What could possibly go wrong with…” with the results of that Sophos advice.

        So: “What could possibly go wrong with Wuala – the encrypted storage on someone else’s computer?”

        Answer is left as an exercise for the readers, or lulzsec.

        1. Eddie.Mc

          I’m a lot less concerned about someone getting my encrypted file stored on “another person’s computer” aka the cloud, than my credit card number and PII not stored securely in a database or in transit correctly. At least the file is encrypted.

          It’s true users need to make educated decisions on what to store and where using these cloud services.

        2. Robert.Walter

          You mean they don’t really some how store it in a real cloud?

          Next I suppose somebody is going to try and tell me that those shards that Jarwal was demonstrateing to Superman in that crystal palace were not really made of ice! 😉

          As one who has participated in the creation of many FMEAs and other risk evaluation exercises, I agree with the rest of your suggestion.

  5. NotMe

    Nice work Brian, As usual the time between the posting on this blog and an official news release is always interesting.

    One very good reason to keep up with Krebs!

    1. Maureen

      I second that. I’m not even surprised any longer when the “big news” is a few days behind something we’ve been alerted to by Brian.

      1. BC

        I’m not surprised any more when I get “the scoop” before my husband who actually works in IT…or when his inbox is so full that he fails to notice my “scoop” for a couple days (and starts explaining things like Heartbleed & revoked certificates).

        At least he’s got that part all figured out now–if it’s a “current event” and it’s Internet-related, he just stops himself and says, “I bet you already know all about this.”

  6. Maureen

    So…I’m not the sharpest knife in the drawer when it comes to these things – that’s why I read Krebs – but it seems to me that if I am in charge of a company whose database got breached, I would want to disclose it before Brian Krebs got a hold of it. 🙂

    1. Robert.Walter

      nobody ever expects Brian Krebs! (Or the Spanish inquisition!)

  7. Stratocaster

    So this will now become known as LaCiegate?

  8. cvnk

    I don’t suppose there’s any way for us (the web-consuming general public) to know what server-side technology an ecommerce site is built upon so we make an informed decision about whether we want to do business with that site. I would assume they try to conceal that info in general to avoid making it to easy for hackers to decide which exploit they’re going to use.

    I guess it would be futile anyway. *sigh*

    1. BrianKrebs Post author

      Well, in the case of ColdFusion, one indicator is the presence of urls that end in “.cfm”

      1. Sarah K.

        Not sure if this was supposed to be funny, Brian… but it cracked me up enough to spit coffee!

        Industry news and morning giggles, brought to you by KrebsonSecurity!

        1. timeless

          He’s serious.

          Here’s a very incomplete list of things you might see in a URL (somewhat sorted by category/age):

          .cgi = standalone program gateway (basically, the web server is going to run a program – possibly compiled, possibly not – and return its output) – moderately old (predates ISAPI and most other things)
          .dll = program gateway (like CGI but for IIS)
          .nsf = Lotus Notes
          .cfm = ColdFusion Markup
          .cfc = ColdFusion Component

          .shtml = Server-side HTML (like .asp, but possibly w/ server side JavaScript embedded which is executed before the page is returned)

          .asp = Active Server Page (roughly like .shtml) IIS – can be JScript/VBScript (could be PerlScript or various others)
          .aspx = Active Server Page for .Net (like .asp) IIS
          .srf = Server Response File (roughly like .shtml or .asp) IIS
          .jsp = Java Server Page (like .asp but with embedded Java code – compiled by server on a semi-as-needed-basis) often Tomcat/iPlanet/GlassFish

          .pl = Perl (older script-based programming language)
          .php = PHP: Hypertext Preprocessor (frequently insecure script-based programming language)

          .jspa = Java Servlet Alias – possibly Struts
          .do = Struts
          .action = Struts

          pf_rd_t = Dunno, but Amazon and others use it

    2. FARO

      In the past as a software developer looking for work, there were many questions on my knowledge of Cold Fusion. I knew virtually nothing about the language thus no job. Not that I could not figure it out since most of this stuff is basically the same. Don’t hear much in the way of requests these days to program in this language, but I guess it is because I have stayed away from it so they do not ask.

      1. Infosec Pro

        I’ve got some arguments with their letter grades, Robert.

        Seems to me that they make sites look bad by using relatively minor issues they would remediate if only they were hired.

        I can specifically identify two vulns they graded as “F” that I’ll argue are relatively innocuous (e.g. SSLv2 got an “F” but doesn’t usually matter because it’s a fallback that shouldn’t be used if SSLv3 is available).

        So please take their results as being marketing hype not objective fact.

        1. Robert.Walter

          I had considered that, but figured that even if the weighting may not be consistent, the grades have to provide a decent ranking from a relative standpoint.

          And even if ther is a business motive behind the rankings, this would still be consistent with a better/worse grade. There isn’t much of an extortion motive either because SSL can’t much ding an A site down to a D just to extort some work from them and not equally ding all other sites for the same infraction.

          And the path to an improved score always lies with the site operator, who can upgrade at will. I think that B ranked fis probably know what they need to do to get to an A without SSL (Mac even be true for any firm wanting to increase their grade up a step.)

    3. Brad Wood

      Trying to guess the relative security of one site or another based on the technology in use would be pointless. Whitehat Security just released this report that compares the relative security of the most popular languages on the web and found that none of them were any more or less vulnerable to attacks.

      http://blog.whitehatsec.com/relative-security-of-programming-languages-putting-assumptions-to-the-test/

      In fact, ColdFusion received some of their highest marks for fewest vulns and best remediation. What they also found is that most vulns come from human error. Sadly, it much more difficult to determine whether or not a given company is likely to follow security best practices– especially when you see big players getting hacked.

      1. BrianKrebs Post author

        Brad, the next time you go off on Twitter and accuse me of deleting your comments, you should know that comments which include links very often get moderated automatically and held until I have time to release them from moderation.

        Despite what you may think, I welcome divergent views on this blog, and almost never delete or manually mod down comments. But I might do that for readers who consistently and incorrectly accuse me of censorship.

        1. Brad Wood

          I’m glad to hear I wasn’t censored and I apologize for jumping to that conclusion. The reason I assumed it had been deleted is that it showed on this site for a while after posting and then disappeared later.

          1. BrianKrebs Post author

            Not sure how that could have actually happened. Comments that are moderated say so after you leave them. And I can assure you I wasn’t awake at 1:19 a.m. ET, when you left that comment.

            1. Infosec Geek

              But if you were asleep who’s minding the web?

      2. Mike C

        That’s splitting hairs to prop up your argument, since 100% of vulnerabilities are from human error. Poorly written source code is the root of virtually all security holes in software. While sysadmins certainly deserve their share of heat for not patching, if the code wasn’t developed using a competent software lifecycle process, with rigorous testing, then the developers shoulder responsibility, too.

  9. Glenn

    Given that “Security and data privacy are extremely important to LaCie” you’d think they’d have encrypted the credit card numbers no? Responsible sites just leave that kind of stuff lying around in the clear?

    1. Wil Genovese

      Actually one of the things I found loaded onto a web server was an IIS module that sniffed all HTTP POST actions for credit card data and it grabbed the CC data prior to encryption from within IIS itself. Nasty little bugger!

  10. CharlieG.

    Every time I read increasingly frequent statements such as, “We take…[…reader fill in this space…]….very seriously, and are constantly striving to ….” blah/blah/blah…. I have to think that, “OK, but not quite so seriously that you don’t spend more corporate cash setting up procedures so these hackers can’t break in.”

    I know, I know, computers are increasingly complex and are changing all over the place, but we’ve had these wonderfully inviting machines for hackers […why, oh, why are TEEN-agers so successful at this?] now for some decades, and we still have not achieved the Cat Actually Eating The Hacker-Mouse. We need hungrier cats with better paid salaried positions?

    So, this layman here thinks that if enough corporate cash was invested….in a joint Manhattan Project, the likes of these Cie’s might temporarily cut into their profits, but in the long run wouldn’t these Cie’s benefit from an enhanced reputation for Security?

    Surely the knowledge is out there; we have Krebs here right in front of us, and his sharp pieces here, again right in front of us, but I wonder why this apparent stinginess [imbalance] continues?

    Right here we read the results of this imbalance in corporate R&D spending.

    1. CharlieG.

      O.K., the flaw I spot after proofing the above is my omitting the huge and nasty area of “competition” among these other equipment manufacturers and their jealously guarded procedures.

      But wouldn’t some careful R&D cooperation trump sorter term competitiveness?

      1. CharlieG.

        …correct “sorter” to read…..”shorter”.

  11. Robert.Walter

    This will not end until corporate CEO start getting little time-outs in federal prison.

    I really wonder when some solid legislation is going to drop that holds companies responsible…

    One bright sign is that a federal court recently decided that the FTC has legal authority and jurisdiction to start levying fines on companies that play fast and loose (not the actual legal term) with customer data and it leads to a breach…

  12. Steve D

    One or more of these companies that were hacked needs to sue Adobe under the same laws that others use for suing defective product manufacturers. The sooner software makers are made financially responsible for their sloppy programming work and security holes the better the world will be. Their ridiculous licensing claims of innocence and non-responsibility for anything needs to be broken, even if it takes going to the Supreme Court. Software makers need to be held to the same product quality standards as automakers and every other product maker. If that were to happen they would quickly make security a top priority and we wouldn’t be having this happen every week. Citizens can help make this happen by making it known to vendors that they will no longer purchase their products from their websites. I know this won’t happen completely but if enough citizens started withholding their purchases to put a noticeable dent in internet commerce and making it known why, things would begin to improve for the better.

    1. BrianKrebs Post author

      Well, to be fair Steve, as far as I can tell the vulnerabilities that the attackers exploited were at least a year old when they were exploited, so it’s not like the hacked organizations had no time to patch.

      1. Steve D

        That is a reasonable argument Brian provided every company was notified by letter the same way GM or Ford notifies their customers for a profuct defect. And if that is true my same point still applies. Those companies that didnt patch should also be sued by those effected for a defective web site. It is still a defective product liability issue. The software industry is allowed to get away with things that no other product msnufacturer

      2. Brad Wood

        That’s an excellent point, Brian. A quick look at the LaCie site seems to show they are using CF8, which would present a likelihood that the attack vector was the directory traversal attack on an exposed administrator. (CVE-2010-2861)

        This was patched in August 2010: http://www.adobe.com/support/security/bulletins/apsb10-18.html

        That means that if LaCie was compromised in March 2013, it had been 2 years and 7 months since the patch was released.

        Of course, it is possible they were hit with CVE-2013-0625 which was patched in January 2013, but only for supported versions of CF.

  13. Elaine

    Well isn’t it obvious that using the Internet is simply giving all kinds of criminals free reign to steal your identity, personal information and/or credit card and other types of financial information?

    There isn’t anything an individual can do to really protect themselves is there?

  14. Robert.Walter

    Maybe I asked before, maybe somebody even answered, but then I’ve missed it.

    But can anybody please explain why a company does not encrypt all customer data? Is there some complication or logistical reason that makes this impractical?

    1. Wil Genovese

      Actually one of the things I found loaded onto a web server (via and exploit) was an IIS module that sniffed all HTTP POST actions for credit card data and it grabbed the CC data prior to encryption from within IIS itself. Nasty little bugger!

    2. bob

      They might do. But they need to decrypt it to use it. Which means the software needs to be able to encrypt it and decrypt it. Which means an attacker of the software has everything he needs to decrypt it. Or just grab it at a point when it’s not encrypted.

      Encrypting stuff before hit hits the database add a layer of protection but only if the attacker compromises the database at some level. If the attacker compromises the software then he can grab before it’s stored.

  15. jay

    @SeymourB
    >>we used to create one-off email addresses for every website we gave email addresses to

    I still do, I had 2 addresses for dropbox and I get spam for each every day. Had similar problems with commission junction and a few others that slip my mind.

  16. Alabama Mike

    A year. Did LaCie think it was just going to go away or something? No wonder consumers lose confidence in companies.

  17. T

    How about making it illegal, yes, illegal!!! to store personal information? Oh, right, because the customer doesn’t like the inconvenience of having to re-enter data…and the huge numbers of $$ made from harvesting and selling data to others, gotten thru weasel-wording. sigh. Give out the wrong info when you can? oh, right, apparently that is illegal. can’t track anyone properly when the info is wrong to begin with…sorry, rant now over

  18. News Junkie Ed

    This outcry for heads to roll, for prosecution of actors who publish software with security holes or data that can be gotten at by and for illegal purpose would scare the hell out of me as a producer of most anything related to IT.

    It would prevent me from selling anything online if I were to be held liable for the code and standard practices used to create my sales platform.

    Did LaCie know that it was leaking card information and make the corporate decision to ignore it? Otherwise I don’t see how they can be liable.

Comments are closed.