Acer Philippines confirmed a security breach occurred within a third-party vendor's system responsible for managing employee attendance data, resulting in unauthorized access to this information.
The breach did not affect Acer Philippines' customer databases. The company emphasized that customer data remains secure, highlighting that the attendance system and customer databases are entirely separate, with robust internal systems in place to protect customer information from cybersecurity threats.
Acer Philippines has notified the National Privacy Commission (NPC) and the Cybercrime Investigation and Coordinating Center (CICC) about the breach. A full investigation is currently underway to understand the breach's circumstances fully.
The company encourages individuals with questions or concerns about the breach to contact Acer Philippines through their official support channels, indicating a commitment to transparency and customer service in the wake of the incident.
The incident is framed within the broader context of supply chain attacks, where cybercriminals target less secure elements in a company's supply network. This method is highlighted as increasingly common, with several notable victims mentioned, including SolarWinds, Kaseya, Codecov, Target, and Maersk, underscoring the importance of robust cybersecurity practices not just within companies but across their vendor and supplier networks to mitigate these risks.
Acer Philippines reports data breach in third-party vendor system
The cybersecurity incident affected employee attendance data but did not compromise customer databases, as Acer Philippines assures all client information remains protected
At a glance
Acer Philippines responds to security breach with transparency and assurance: An official statement reveals a third-party vendor's system compromise, emphasizing customer data security and ongoing investigations.
Acer Philippines confirmed through an official statement that a security breach occurred within a third-party vendor's system. The vendor was responsible for managing Acer Philippines' employee attendance data, and the breach resulted in the unauthorized access of this information.
The company emphasized that this incident does not involve Acer Philippines customer databases. Customer data remains secure, as the attendance system and customer databases are entirely separate. In addition, Acer maintains internal systems that protect customer data from cybersecurity threats.
Acer Philippines has alerted the National Privacy Commission (NPC) and the Cybercrime Investigation and Coordinating Center (CICC) regarding the incident. A full investigation into the circumstances of the breach is currently underway.
The company encourages individuals with questions or concerns to contact Acer Philippines through their official support channels.
What is a supply chain attack
Supply chain attacks involve cybercriminals targeting less secure elements within an organization's network of suppliers and vendors. These attacks aim to gain access to the larger organization's systems. This method is becoming increasingly common as companies improve cybersecurity, forcing attackers to exploit weaknesses in their partners' systems. While the attackers successfully infiltrated the employee attendance system, Acer Philippines has confirmed that customer data remains secure.
Philippine Airlines (Mabuhay Miles) was a victim of a supply chain attack in 2023, a data breach affecting the frequent flyer program. The breach was linked to a third-party service provider.
Other notable global supply chain attack victims include:
SolarWinds: A massive 2020 supply chain attack where hackers compromised SolarWinds' Orion network management software. This allowed them to infiltrate numerous government agencies and large corporations worldwide.
Kaseya: In 2021, attackers leveraged Kaseya's VSA remote management software to distribute ransomware to numerous businesses, impacting hundreds of companies.
Codecov: In 2021, a software testing tool was compromised, allowing hackers to potentially steal sensitive data from hundreds of companies that used it.
Target: The infamous 2013 Target data breach initially occurred through a supply chain attack. Hackers targeted an HVAC vendor with access to Target's systems.
Maersk: The international shipping company was one of the victims hit hard by the NotPetya ransomware, spread in part through compromised Ukrainian accounting software.
Recommendations to mitigate supply chain attacks
Organizations are advised to adopt a comprehensive security strategy to combat the rising threat of supply chain attacks. This includes rigorous vetting of third-party vendors, incorporating security obligations into contracts, and ongoing compliance monitoring. Emphasizing a zero-trust security model, network segmentation, and multi-factor authentication are crucial. Additionally, adopting secure software development practices, maintaining a software bill of materials, and vulnerability scanning can help safeguard against potential breaches. Organizations should also have a solid incident response plan, conduct regular security training, and engage in industry-wide collaborations to stay ahead of cyber threats. Finally, stay informed about threat intelligence and collaborate with others in your industry to strengthen your defenses against this growing cybersecurity risk.