Cyber Incident Victim: LaCie

LaCie, a French hardware company in the process of merging with Seagate, disclosed a significant security breach on April 15, 2014, following an FBI notification on March 19, 2014. The company confirmed that malware had infiltrated its website, compromising transactions processed between March 27, 2013, and March 10, 2014, placing virtually all customers who shopped online during this period at risk. Security researcher Brian Krebs linked the breach to attackers exploiting vulnerabilities in Adobe’s ColdFusion software, a vector previously used in intrusions targeting dozens of online retailers. This connection referenced Adobe’s own 2013 breach, which initially impacted 3 million accounts but was later revised to 38 million, exposing source code for ColdFusion and other products; Adobe had patched these vulnerabilities prior to LaCie’s disclosure. The attackers accessed customer names, physical addresses, email addresses, payment card numbers, card expiration dates, usernames, and passwords through the compromised web storefront.

LaCie initiated customer notifications via mailed letters starting April 11, 2014, and mandated password resets for affected accounts. The company collaborated with the FBI and an unnamed forensic investigation firm to analyze the breach and implement enhanced security measures. As an immediate containment action, LaCie shut down its online store indefinitely to secure its payment infrastructure. No specific number of impacted customers was disclosed, but the company emphasized the broad scope, acknowledging all transactions during the 11.5-month window were potentially exposed. The breach highlighted systemic risks associated with third-party software vulnerabilities, particularly given the attackers’ use of previously identified ColdFusion exploits to infiltrate multiple e-commerce platforms. LaCie’s public acknowledgment followed Krebs’ earlier reporting on the intrusion, underscoring the prolonged duration between initial compromise and detection.