Future Tech

Western Digital: Customer info stolen in that IT attack

Tan KW
Publish date: Tue, 09 May 2023, 08:27 AM
Tan KW
0 462,259
Future Tech

Customer information was stolen from the IT systems of Western Digital in that March IT security breach, forcing the storage manufacturer to shut down its online store until at least next week.

Western Digital (WD) first disclosed the intrusion in early April, saying that in late March its engineers discovered someone had broken into "a number" of the biz's systems. In a brief statement at the time, company officials said they had disconnected the vendor's systems and services from the public internet and were working to restore regular operations.

WD also said it was working with outside forensic experts to repair the damage, but offered little other info.

In an update late last week, WD said the intruders grabbed a copy of the database powering Western Digital's online store. That trove included a range of personal information of the store's customers, including names, billing and shipping addresses, email addresses, and telephone numbers.

Other data exposed include - in "encrypted" form - hashed and salted passwords and partial credit card numbers.

In a brief letter to customers also sent late last week, WD reiterated the data that was stolen, and said it had temporarily suspended access to online store accounts, meaning all which means no one right now can make online purchases.

The company's online store features a small banner that reads, "We'll be back soon. We are unable to process orders at this time." And where a button marked "Buy Now" would usually appear, a button marked "Find A Reseller" is the substitute.

The disk-slinger's plan is to restore access to accounts the week of May 15. The My Cloud service - which was shut down as part of the company's proactive measures after the security breach and includes such products as My Cloud Home, My Cloud Home Duo, My Cloud OS5, and SanDisk ibi - was restored April 13.

WD also outlined steps customers can take to protect themselves against fraud and other abuse of their information, and advised now is the time for heightened awareness of phishing lures.

What wasn't included in the letter were offers from Western Digital to provides such services a credit monitoring, a step that companies whose customers' data was exposed typically offer.

The Register has contacted WD for more information and will update the story if the company responds.

Who is behind this?

There also is the issue of the stolen information being released publicly by the miscreants who acquired it. The crooks claiming to have orchestrated the theft boasted at one point they had stolen 10TB of data from Western Digital, including WD's code-signing certificate. The crew said they were demanding an eight-figure ransom payment.

In late April, the BlackCat ransomware group - also known as ALPHV - posted to its own website purported screenshots of data stolen from WD and reportedly interrupted a video-conference call among Western Digital's security incident response team and taunted the group, even going as far as to sharing a screenshot of the meeting, according to cyber researcher Dominic Alvieri.

Some WD users voiced their frustrations over the breach and what they said was the vendor's tardy communication.

"Took them long enough to say something," one netizen wrote on Reddit, noting that on another subreddit channel, "people have been talking about their site doing weird shit for what seems like months. Removing the ability to buy drives and stuff like that."

Another user said that "we need laws that heavily hurt companies that suffer 'customer data breaches', and hurt them even more if they are found to try and cover them up. We need to incentivize these companies to stop holding customer data."

Others took a more measured view.

"To be fair all the things they listed seem pretty essential if you're selling physical goods to people," one person wrote. "Are they just supposed to not have a record of where things got sent to or something? I'm all for data privacy, but I really don't think this is a case that deserves heavy penalties.

"The fact is that sometimes shit happens - you can do everything right and still have things go wrong. I don't think it's fair to penalise companies for this sort of thing unless it's clear that they were capable of avoiding it or reducing the impact but chose not to." ®

 

https://www.theregister.com//2023/05/08/western_digital_customer_data/

Discussions
Be the first to like this. Showing 0 of 0 comments

Post a Comment