The lack of transparency can be cause for concern, but stolen data is not of great value.
Samsung announced on September 2, 2022 the second data breach of 2022. In a statement that provided little detail about the exact nature of the breach, the company said name, contact, The demographic information, date of birth, and product registration information of “certain customers” were affected.
Which customers were affected by the data breach?
The company did not specify what types of customers – for example, businesses or consumers – were affected, provide a breakdown of the affected areas, or provide any other information. This lack of specificity would lead all customers to conclude that their data was part of the breach.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
“When breach disclosures occur, this is a mixed bag,” said Chris Clements, vice president of Solution Architecture at Cerberus Sentinel. “The lack of transparency on the number of individuals affected as well as the delay in notifying them combined with Friday’s weekend release appear to be obvious efforts to mitigate the issue. “.
The company has established a Frequently asked questions page for customers who said the breach was initially discovered at the end of July 2022, and as of August 4, they identified personal data that had been separated from “several Samsung systems in the United States” . The news was announced a month later on Friday, September 2.
Unlike the March breachthis affected the source code of Galaxy smartphone According to multiple news sources, the company said the beach does not affect consumer devices. The company also said credit card numbers and social security are not at risk.
“Unfortunately, this breach is the second for Samsung this year, as cybercriminals steal source code and other technical information,” said James McQuiggan, security awareness advocate at KnowBe4 , said. “With the collection of user information, targeted attacks can occur against them in relation to the Samsung products they own.”
New data breach could be the result of the most recent hack
Chad McDonald, CISO of Radiant Logic, said the latest incident could be a continuation of the March attack when it infiltrated corporate networks, especially one as large and complex as yours. Samsung. management provider.
“The fact that they sat on this issue for so long before they made it public… implies to me that they care less about urgency,” he said. “This makes me feel like this could very well be just a sequel to [the former breach] they just haven’t found out yet. “
McDonald notes that the other most likely threat vector that attackers use to gain access is phishing emails.
“It’s the easiest way and it’s a math game, isn’t it? You send a million emails and then you get two clicks… to get the key to the kingdom, so to speak,” he said.
Samsung may face legal action
As for the data that Samsung says has been retrieved, McDonald’s doesn’t see it as high risk.
The impact of the breach could be more damaging for Samsung because it waited so long to reveal it publicly. If any of the stolen data is from customers in the European Union, Samsung could be in breach Article 33 of the General Data Protection Rule, which states that an organization must notify the supervisory authority of each affected country within 72 hours “unless a personal data breach is not likely to lead to risks to the rights and freedoms of natural persons”.
“Again, you now have so many regulations that you have to have an immediate response… there are two or three in the US,” McDonald said. “But I don’t think there are many regulatory teeth around that. GDPR is currently the biggest hitter in terms of penalties. “
For more information about the breach, TechRepublic has reached out to Samsung’s US media relations team. Since publication, they have not responded.
