Hard drive maker LaCie has admitted that it was the victim of a hacking incident that went unnoticed for almost a year.
The Seagate-owned firm was notified by the FBI towards the end of March about an unauthorised access of personal customer information from its website.
LaCie believes that transactions made between March 27, 2013 and March 10, 2014 are affected, and information stolen could include names, addresses, email addresses, credit card numbers and expiration dates, and login and password credentials.
While LaCie did not specify how the attack occurred, security blogger Brian Krebs suggested that vulnerabilities in Adobe ColdFusion were exploited.
LaCie said it has temporarily disabled the shop on its website while it moves to a more secure payment service. It also hired a forensic investigation firm to explore the issue and help improve its security.
The hack is made worse because LaCie also offers a series of security-focused hard drive products for business use. While the products have not been affected, the company's lack of awareness about its own online security will create customer doubts.
"Customers should also be asking the company tough questions about why it didn't spot the intrusion earlier, and whether it had put enough resources into properly penetration testing its site to find and resolve weaknesses," said Graham Cluley, an independent security consultant, on his blog.
Cluley labelled the incident "deeply embarrassing," and recommended that LaCie customers keep an eye on their credit card bills for unusual activity, as well as ensuring their LaCie password is not in use anywhere else.
He warned other companies not to become "smug" or complacent about their own security.