
HD Manufacturer LaCie Admits Yearlong Data Breach - nimbs
http://threatpost.com/hd-manufacturer-lacie-admits-yearlong-data-breach/105447
======
PCheese
The site just emailed me my password in cleartext when I used the "forgot
password" option, so they must not be hashing them on their side. Seems like a
terrible security practice.

The incident notification states "website user names and passwords could also
have been accessed", so I guess this means cleartext passwords.

------
acqq
LaCie is not only a HD manufacturer, more importantly it is also the owner of
the cloud storage service on the European servers:

[http://www.lacie.com/more/?id=10142](http://www.lacie.com/more/?id=10142)

"Cloud Collaboration. Rock-Solid Security."

[http://www.wuala.com/](http://www.wuala.com/)

[http://www.wuala.com/en/learn/technology](http://www.wuala.com/en/learn/technology)

"Our servers are based in Switzerland, Germany, and France."

Which would be preferred by Europeans. Well now...

------
ToastyMallows
Title is a little misleading. I own a LaCie External HD and I went there
expecting something about hardware level data breaches.

~~~
0x0
Indeed. Imagine what a competent attacker could do with access to the firmware
developer or distribution environment.
[http://spritesmods.com/?art=hddhack&page=1](http://spritesmods.com/?art=hddhack&page=1)

------
donbronson
LaCie should be forced to publish a list of priorities that were more
important than fixing the site for leaky credit cards.

~~~
rhizome
There is a telling lack of consumer-protection laws regarding data leaks and
breaches. Compare this with the Android flashlight-dataseller case [1], and
you see that companies perceive the data you produce as rightfully theirs to
do whatever they want with, except that which is legislatively protected (and
even then...).

1\. [http://bgr.com/2014/04/14/brightest-flashlight-app-scam-
sett...](http://bgr.com/2014/04/14/brightest-flashlight-app-scam-settlement/)

~~~
wdewind
What's the solution? We hate regulation as an industry, but if I was outside
the industry, seeing these data breaches over and over again would seem to
imply a need for regulation. Looking at PCI and HIPPA, as two examples, it
doesn't seem like data protection legislation would be super successful. Any
thoughts on that?

~~~
dispense
How about not requiring personal data when it's necessary anyway, and removing
it as soon as it isn't necessary anymore? If I buy a LaCie drive in a brick-
and-mortar store and I pay with cash, there is exactly none of my personal
data there to be stolen. I don't see why this shouldn't apply to my online
purchases. In fact, I'm quite annoyed that it doesn't apply at all.

~~~
wdewind
Because the next time you'd want to shop with that store you'd need to fill
out the profile again. This kills the conversion rate.

It's a security/UX tradeoff.

~~~
dispense
The minor inconvenience of re-entering my shipping data every time clearly
outweighs the possibility that some crime syndicate gets their hands on my
personal data. At least for me. I would appreciate it to at least have the
option to not create an account when I make a purchase. I've seen too many
data breaches to have much confidence in the security of the majority of
webshops. The only secure safeguard against theft of personal information is
to not have it stored in the first place.

~~~
cordite
This seems like the perfect place for payment processors to exist, like PayPal
and google wallet or whatever ones out there you'd like to use

------
at-fates-hands
I'm no expert in security, but man am I weary of using ANY Adobe product. I
guess I continue to confirm that feeling every time I see one of these data
breaches and its tied to Adobe products.

