Jun 7, 2011 14:57 GMT  ·  By

The recent data breach incident that resulted in information about Acer consumers in over 29 countries being exposed was the result of the company's own negligence.

Last week, hackers identifying themselves as members of the Pakistan Cyber Army (PCA) obtained access to ftp.acer-euro.com, the FTP server for Acer's EMEA service & support website.

Released screenshots showed hackers connecting to the FTP server with a user called "navasp" and a "Country Wise Customer Data.zip" file sitting in a sub-directory.

The archive contained Acer customer data spreadsheets organized by country. The information included full names, email addresses, full home addresses (with postal code, city and country) and phone numbers.

The question on everyone's mind at the time was the method used by hackers to obtain the password for the navasp account.

Stealing it from the compromised computer of an Acer employee was one possibility. However, according to The Hacker News, the answer is much more simple— they Googled it.

Apparently the navasp username and password were posted at the beginning of 2008 on a public forum by an Acer employee. Judging by the post, the login info was shared with people who had trouble obtaining a hotfix.

It's not clear when the "Country Wise Customer Data.zip" file was uploaded to the FTP server and for what purposes, but it was clearly bad security to leave it there.

Since the FTP account was also used to store the source code for an ASP application developed by Acer, we can speculate that the data was used for testing purposes.

Of course, testing should always be done with dummy data and not live one, as it appears to be the case here, but programmers don't always think of the security implications.