Cyber Incident Victim: Acer Inc.

Acer Inc. experienced a cybersecurity breach affecting its online store, disclosed through a letter to the California attorney general dated June 15, 2016. The company confirmed that an unauthorized third party exploited a flaw in its e-commerce platform, exfiltrating customer data over an 11-month period from mid-May 2015 through late April 2016. Attackers obtained full credit card details alongside customer names and physical addresses during this sustained compromise. The breach impacted 34,500 individuals exclusively located in the United States, Canada, and Puerto Rico. Acer's investigation found no conclusive evidence that user account credentials such as passwords or login information were accessed, though the company declined to categorically exclude this possibility. The intrusion was detected and contained by April 2016, prompting internal forensic analysis prior to regulatory notification.

Acer initiated customer notifications coinciding with its disclosure to California authorities, adhering to breach reporting timelines mandated by state law. The company confined its communications to confirmed impacts, avoiding speculation about potential misuse of stolen payment card data. Forensic evidence indicated the attack constituted a standalone incident unrelated to contemporaneous large-scale breaches affecting platforms including MySpace, LinkedIn, and Tumblr, which involved historical data dumps from separate threat actors. Similarly, Acer clarified no connection to VerticalScope's approximately 45 million compromised user records from forum hacks disclosed earlier that week. Response efforts focused on securing the online store's payment processing systems and coordinating with financial institutions regarding potentially exposed credit card details. The breach represented one of the first major retail data compromises publicly tied to a multinational hardware manufacturer during that period.