Sign In

Communications of the ACM

ACM News

Samsung Breach Slams Consumers

View as: Print Mobile App Share:

Samsung waited a month to disclose the breach, which one industry observer said "shows that they also believe the compromise is widespread."

Credit: Getty Images

"Samsung recently discovered a cybersecurity incident that affected some of your information," the breach notification read. Samsung addressed the email to me and other customers involved in the breach.

On Sept. 2, Samsung notified specific U.S. customers that a late July breach affected some of their data inside U.S. systems. According to the breach notification, customers had differing combinations of their names, contact and demographic data, birthdays, and product registration information stolen. The breach only involved Samsung's servers, according to AppleInsider; Samsung consumer devices and in-app control interfaces remained untouched. 

"We want to assure our customers that the issue did not impact Social Security numbers or credit or debit card numbers," the Samsung email continued. We know little about the late July breach, which Samsung confirmed internally by early August, though it didn't disclose it until September.

Litigants in a class action suit against Samsung Electronics of America asserted that the July breach, together with one in March, affected more than half of U.S. Samsung customers, according to Dark Reading.

That's a lot of people to leave in the dark. All my emails to the Samsung address generated automated responses about the breach, with no new information. We can surmise as much from what we don't know about the breach as what we know.

Did the March Breach Leave a Backdoor Open?

There are some clues to who breached Samsung and how they did it. According to Tom's Hardware, the Lapsus$ APT group breached Samsung source code secrets in March.

According to a KPMG advisory, source code secrets include access credentials such as API keys, access tokensRSA keys, identifying certificates, and database connection strings buried in the software. According to the KPMG advisory, Samsung may not have removed the malware (malicious software) infestations from the March attack, so the July breach may have been an extension of the one in March.

"It is also interesting that Samsung waited a month to disclose the breach, which shows that they also believe the compromise is widespread. There is a fair chance that the most recent breach ties to the one disclosed in March," says Safi Raza, director of cybersecurity at Fusion Risk Management, a risk management consulting services and software solutions provider.

Affected data

According to TechCrunch, the demographic data Samsung collects includes precise geolocation data, while product registration information includes device serial numbers, model numbers, and unique identifiers such as smartphone IMEI numbers. Cybercriminals use geolocation data to pinpoint your relationships and travel patterns, including the people you meet and where you meet them. They compile unique identifier data with other information they steal or learn about you to confirm who you are and where you go online.

Stolen device IDs and IMEI numbers enable criminal hackers to do much. "With the right combination of an IMEI and social engineering, a hacker can cause inconveniences, such as reporting the device as stolen and causing a temporary lack of service. They can also use the IMEI to locate the device," says Raza.

Remaining questions

Samsung's disclosures about the July breach stir more questions than they answer.

"Many large organizations, especially global ones, limit the breach information they release based on recommendations from their communications and legal teams to reduce the damage to the brand," says James McQuiggan, security awareness advocate at KnowBe4, a security awareness and training provider.

The device vendor hasn't named the cybersecurity firm it engaged to help with the investigation and close the vulnerabilities. Organizations adding cybersecurity services post-breach often don't identify the providers, since attackers could use that information to their advantage. Yet the expertise of the security vendor could provide insight into the security challenges that Samsung seeks to resolve.

The FBI is almost always at work in these investigations, but Samsung hasn't identified the law enforcement agency that has taken the case. "While I cannot confirm, it would be shocking if the FBI was not involved in some way," says Chad McDonald, chief information security officer (CISO) of Radiant Logic, an identity platform provider.   

"The ongoing investigation should provide a clearer picture of affected systems and stolen data. Once completed, the investigation should give Samsung enough information to notify impacted individuals, itemize lost data, and work on a plan to bolster its data security strategy," says Arti Raman, CEO and founder of encryption provider Titaniam. We should know more then.

Lasting effects on customers

"One breach feeds many subsequent breaches, resulting in an impact far greater than the original. With Samsung, attackers could steal customer identities, reroute messages, steal more personal data from the device, and deploy text-based scams like doxxing, blackmail, and spoofing," says Raman. Phishing and other social engineering attacks on customer personally identifiable information (PII) are not off the table either. 

Based on the Samsung Security Response Center information, Samsung seems to suggest that other victims of the breach could come to light as the investigation unfolds. Between the outcomes of the class action suit against Samsung, the company's future disclosures, and information revealed by other sources, we'll know more soon enough.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found