HD Manufacturer LaCie Admits Yearlong Data Breach

PCheese 12 years ago |

The site just emailed me my password in cleartext when I used the "forgot password" option, so they must not be hashing them on their side. Seems like a terrible security practice.

The incident notification states "website user names and passwords could also have been accessed", so I guess this means cleartext passwords.

acqq 12 years ago |

LaCie is not only a HD manufacturer, more importantly it is also the owner of the cloud storage service on the European servers:

http://www.lacie.com/more/?id=10142

"Cloud Collaboration. Rock-Solid Security."

http://www.wuala.com/

http://www.wuala.com/en/learn/technology

"Our servers are based in Switzerland, Germany, and France."

Which would be preferred by Europeans. Well now...

ToastyMallows 12 years ago |

Title is a little misleading. I own a LaCie External HD and I went there expecting something about hardware level data breaches.

0x0 12 years ago | |

Indeed. Imagine what a competent attacker could do with access to the firmware developer or distribution environment. http://spritesmods.com/?art=hddhack&page=1

donbronson 12 years ago |

LaCie should be forced to publish a list of priorities that were more important than fixing the site for leaky credit cards.

rhizome 12 years ago | |

There is a telling lack of consumer-protection laws regarding data leaks and breaches. Compare this with the Android flashlight-dataseller case [1], and you see that companies perceive the data you produce as rightfully theirs to do whatever they want with, except that which is legislatively protected (and even then...).

1. http://bgr.com/2014/04/14/brightest-flashlight-app-scam-sett...

wdewind 12 years ago | | |

What's the solution? We hate regulation as an industry, but if I was outside the industry, seeing these data breaches over and over again would seem to imply a need for regulation. Looking at PCI and HIPPA, as two examples, it doesn't seem like data protection legislation would be super successful. Any thoughts on that?

dispense 12 years ago | | |

How about not requiring personal data when it's necessary anyway, and removing it as soon as it isn't necessary anymore? If I buy a LaCie drive in a brick-and-mortar store and I pay with cash, there is exactly none of my personal data there to be stolen. I don't see why this shouldn't apply to my online purchases. In fact, I'm quite annoyed that it doesn't apply at all.

rhizome 12 years ago | | |

There's a middle ground where custodial responsibilities are legislated, where the customer retains property rights in the information collected by the company and thus provides a cause of action if the company fucks up.

wdewind 12 years ago | | |

Because the next time you'd want to shop with that store you'd need to fill out the profile again. This kills the conversion rate.

It's a security/UX tradeoff.

dispense 12 years ago | | |

The minor inconvenience of re-entering my shipping data every time clearly outweighs the possibility that some crime syndicate gets their hands on my personal data. At least for me. I would appreciate it to at least have the option to not create an account when I make a purchase. I've seen too many data breaches to have much confidence in the security of the majority of webshops. The only secure safeguard against theft of personal information is to not have it stored in the first place.

CWuestefeld 12 years ago | | |

Certainly HIPAA is far more trouble, and every example I can think of, of regulation being passed in haste in response to witch hunt, has been awful. I'm thinking of stuff like Sarbanes-Oxley or Dodd-Frank. Neither of these did much in terms of their stated goals, but they have created a bunch of problems as unintended consequences.

EpicEng 12 years ago | | |

> being passed in haste in response to witch hunt

We hear about new attacks and vulnerabilities, more credit card numbers stolen, more personal information stolen, on a weekly basis. I think we're past the point of accusing legislators of acting in a reactionary manner to an isolated incident or two should the proposition of regulation be put forward.

rhizome 12 years ago | | |

We hate regulation as an industry

I don't.

tzs 12 years ago | |

I don't understand. The data was leaked from March 27, 2013 to March 10, 2014, but LaCie didn't know that was happening. They found out on March 19, 2014 when the FBI told them about it. I don't see how you infer from this miss-ordered priorities for fixing the site.

at-fates-hands 12 years ago |

I'm no expert in security, but man am I weary of using ANY Adobe product. I guess I continue to confirm that feeling every time I see one of these data breaches and its tied to Adobe products.