Worse still, the company didn’t even figure it out themselves. They were only alerted to the problem when they received a visit from the FBI, who notified LaCie that there were “indications that an unauthorized person used malware to gain access to information.”
The result: from March 27, 2013 until March 10, 2014, cybercriminals have likely been siphoning off payment information from LaCie’s servers. The usual data was targeted: names, addresses, credit card numbers, emails. For something like this to have been ongoing for an entire year is extremely disconcerting. Granted, this isn’t as big a problem as the massive Target breach, but it’s yet another black eye on the face of internet security.
If you’ve purchased anything from LaCie’s own website in the past year, now’s the time to go back though your credit card statements. There may be fraudulent charges lurking on there that you need to report to your card issuer. You should probably head over and change the password for your LaCie account once the online shop opens back up.
LaCie’s temporarily shut them down while a “leading forensic” firm completes a thorough investigation. Once it’s finished they should be able to plug the holes and make sure it doesn’t happen again.
It doesn’t appear right now as though there’s any link to the Heartbleed vulnerability. It’s possible that LaCie didn’t upgrade their servers to a vulnerable version of OpenSSL until 2013, but that wouldn’t explain why transactions after March 10 of this year weren’t affected since Heartbleed wasn’t revealed until last week.