News has surfaced that Samsung Electronics is notifying some of its customers of a data breach that exposed their personal information to an unauthorised individual.
In relation to this, the technology company says that the cyberattack impacted only customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.
Samsung discovered the data breach this week and determined that it was the result of a hacker exploiting a vulnerability in a third-party application the company used.
A warning note to affected users tells them: “Based on our investigation, we have identified that the affected data may have included your name, phone number, address and email address. We want to assure you that the issue did not impact your password or financial information” (quoted by The Daily Mirror).
In investigating the ramifications, Javvad Malik, lead security awareness advocate at KnowBe4, has explained to Digital Journal why this data breach is potentially impactful for thousands of customers.
Malik places this latest incident in context alongside other similar incidences: “Data breaches can have significant consequences, particularly with large organisations which hold hundreds of thousands of individual records.”
With the specific incident, Malik thinks that Samsung have behaved appropriately: “It’s good that Samsung has responded and notified customers in a timely manner.” Whether notifying customers in 2023 of a problem in 2020 is timely is debatable, however.
In addition, it is both unclear precisely how the threat actor got their hands on the data, and whether the vulnerability remains unpatched to this day.
Malik does raise the matter of weaknesses within a major corporation thar have allowed such an event to happen: “Although it’s concerning that a vulnerability in a third-party application was exploited, it’s a reminder for organisations to thoroughly assess and secure their entire digital supply chain.”
He is of the view that the incident should sound warning bells to customers as well as to other businesses, in noting: “Additionally, customers should remain vigilant against potential phishing attempts or scams that may arise as a result of this breach. While the focus is on the fact that no financial information was compromised, often times personal information can be more valuable to criminals as they can use the information repeatedly to attack individuals.”
Turning this into a recommendation, Malik raises: “Which is why continued user awareness training is key, because as long as breaches continue to occur, individuals will remain the primary target of attack.”
