Full Report
Acer has confirmed a 60GB data breach resulting from a cyber attack on its Indian offices - the second major breach to affect the global hardware and electronics company this year.
Analysis Summary
# Incident Report: Acer India Data Breach - October 2021
## Executive Summary
In October 2021, Acer India suffered a significant data breach attributed to the hacker group Desorden, marking the second major security incident for the global electronics company that year. Malicious actors exfiltrated approximately 60GB of sensitive data, including customer and retailer credentials, following an attack likely initiating on October 5th. Response actions involved acknowledgment of the isolated attack, though further reports indicated the threat actor subsequently targeted Acer servers in Taiwan, Malaysia, and Indonesia.
## Incident Details
- Discovery Date: October 13, 2021 (Reported by *Privacy Affairs*)
- Incident Date: Initial attack likely occurred on October 5, 2021 (on Acer India servers)
- Affected Organization: Acer (specifically Acer India offices)
- Sector: Hardware and Electronics
- Geography: India (and later Taiwan, Malaysia, Indonesia)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around October 5, 2021
- **Vector:** Cyber Attack (Method not specified, but occurred against Acer India’s servers)
- **Details:** Attributed to the hacker group Desorden.
### Lateral Movement
- **Details:** Subsequent reports on October 16, 2021, indicate Desorden gained access to Acer’s Taiwan server and found vulnerabilities on the Malaysian and Indonesian servers, suggesting successful internal navigation or identification of multiple weak points across the network.
### Data Exfiltration/Impact
- **Details:** Approximately 60GB of data was stolen from Acer India. This included: individual customer information, corporate customer data, financial data, and login credentials for over 3,000 Acer retailers and distributors in India. Separately, data pertaining to Acer employees and product information was allegedly accessed on the Taiwan server. Desorden threatened further data release pending payment.
### Detection & Response
- **How it was discovered:** Reported publicly by *Privacy Affairs* on October 13, 2021.
- **Response actions taken:** Acer described the breach as an "isolated attack" and stated that "security protocols" were being followed. (No specific containment or eradication timeline was provided in the source material beyond the initial statement.)
## Attack Methodology
- **Initial Access:** Unspecified initial entry vector against Acer India’s servers.
- **Persistence:** Not detailed, but the group claimed ongoing access and threatened further data dumps.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, but the group implied poor data security practices allowed the breach.
- **Credential Access:** Explicitly compromised login credentials for over 3,000 retailers/distributors in India.
- **Discovery:** Not detailed, but multiple international servers (Taiwan, Malaysia, Indonesia) were subsequently targeted.
- **Lateral Movement:** Implied or actual movement to Taiwan, Malaysian, and Indonesian servers following the initial India breach.
- **Collection:** Gathered 60GB of data across several categories, including financial and customer PII/business data.
- **Exfiltration:** Data was exfiltrated and the group threatened public release dependent on payment (suggesting an extortion motive).
- **Impact:** Data compromise and financial extortion attempt.
## Impact Assessment
- **Financial:** Desorden's primary motive was financial (extortion). This follows a major $50 million ransomware attack Acer suffered in March 2021.
- **Data Breach:** 60GB of data compromised from India servers. Affected over 10,000 individuals with records including customer info, corporate data, financial records, and 3,000+ retailer/distributor credentials. Taiwanese server data included employee details and passwords to internal admin panels.
- **Operational:** Disruption implied due to the initial attack on India servers and subsequent identification of vulnerabilities across other regional servers.
- **Reputational:** Significant negative publicity, marking Acer’s second major breach in 2021, leading to public questions about their security posture.
## Indicators of Compromise
- **Network indicators:** None specified (URLs/IPs were not publicly disclosed in the summary).
- **File indicators:** None specified.
- **Behavioral indicators:** Publicized attempts at data extortion by the group Desorden following data exfiltration.
## Response Actions
- **Containment measures:** Stated that security protocols were followed, implying internal containment efforts were initiated following discovery.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed, though a focus on addressing the subsequent Taiwan vulnerabilities was implied by the group’s continued activity.
## Lessons Learned
- The organization appears vulnerable across multiple international servers (India, Taiwan, Malaysia, Indonesia), suggesting systemic security weaknesses rather than an isolated failure.
- A history of major incidents (March ransomware attack followed by this breach) indicates current security policies and practices may be inadequate to deter or stop sophisticated threat actors.
- Credential hygiene for third-party partners (retailers/distributors) is a critical exposure point.
## Recommendations
- Immediately audit and overhaul security protocols across all international/regional servers identified as vulnerable (India, Taiwan, Malaysia, Indonesia).
- Enforce Multi-Factor Authentication (MFA) and strong password policies, especially for retailer/distributor portals and internal admin panels where credentials were stolen.
- Conduct a thorough forensic investigation to determine the root cause of initial access and review internal segmentation to limit lateral movement potential.