Dell Data Breach Could Affect 49 Million Customers – Source: securityboulevard.com

Dell is sending emails to as many as 49 million people about a data breach that exposed their names, physical addresses, and product order information.

According to the brief message, bad actors breached a Dell portal that contains a database “with limited types of customer information related to purchases from Dell,” adding that the company believes “there is no a significant risk to our customers given the type of information involved.”

The hardware and order information stolen includes the service tag, a description of the product purchased, the date of the order, and related warranty information. According to the company, other information, such as financial or payment data, email addresses, telephone numbers, or other highly sensitive customer information, was not exposed.

Once the incident was detected, Dell implemented its incident response program, started investigating the breach, notified law enforcement, and moved to contain the breach. The company also brought in a third-party forensics firm to help with the investigation.

Database Offered for Sale

News of a possible breach was first reported two weeks ago, though it didn’t get wide coverage until Dell started sending out the emails this week. The website Daily Dark Web reported on April 29 that a threat actor on a dark web forum was selling a database that allegedly contained customer records from as many as 49 million Dell customers, with the information connected to systems bought from Dell between 2017 and this year.

A screenshot by the Daily Dark Web of some of the data included purchases of such products as Dell Inspiron, XPS, and Latitude laptops, UltraSharp monitors, and Alienware systems. According to the report, the records not only showed product purchases by individuals, but also consumer-focused companies, enterprises, schools, and Dell partners.

Rob Enderle, principal analyst with The Enderle Group, told Security Boulevard that the IT and consumer tech giant is going to take a reputational hit because of the data breach.

“The issue for Dell is that, if Dell can’t protect itself from this kind of problem why would anyone use them to protect themselves?” Enderle said. “This is a serious problem for their ability to sell solutions even though, from what we’ve seen, this could have happened to anyone who underfunded the defense for customer records.”

The Risk is Real

He and some cybersecurity experts also pushed back at Dell’s comment – made twice in the email – that the kind of information in the stolen records don’t represent a significant risk to customers. Scammers could use the data to contact customers and pose as Dell employees to try to convince them to disclose more personal information or to install some malicious code.

“With this information, a hostile actor can effectively steal Dell’s identity and convince a Dell customer they are Dell,” Enderle said. “Imagine if that customer is an admin, CIO, CEO, or CFO. The damage could be massive.”

Sarah Jones, cyber threat intelligence research analyst at Critical Start, echoed Enderle’s point, telling Security Boulevard that “leaked names, addresses, and purchase history constitute a privacy intrusion, potentially enabling attackers to craft highly targeted schemes. Phishing attempts impersonating Dell support to steal financial information or targeted marketing campaigns leveraging purchase history for manipulative tactics are both realistic possibilities. This incident highlights the potential for misuse of seemingly innocuous data.”

AI Heightens the Threat

Also, bad actors could use the data, which includes such personal information as full names and addresses, correlate it with other publicly available information to commit fraud or fool people in hopes of stealing money, said Agnidipta Sarkar, vice president CISO advisory at ColorTokens. This become particularly dangerous due to the use by cybercriminals of generative AI to create deepfakes to be more convincing when posing as another person.

Dell reiterated at the end of its email warned users they “should always keep in mind these tips to help avoid tech support phone scams,” adding that suspicious activity should be reported to [email protected].

However, Enderle said that, given the wording in the email, Dell appears to be trying to play down the risk, which he said is “actually making their customers more exposed than they already are and I think, strategically, it has the chance of doing more harm to their customers than they realize and could be catastrophic to their brand if this is done at scale.”

“Dell should immediately be warning their customers to be aware that if they are called, emailed, or otherwise contacted by Dell, they shouldn’t trust that identity and instead disconnect and contact Dell using contact information on Dell’s site, or information they used before that they know to be accurate,” Enderle said.

More Transparency Needed

Others also criticized Dell’s choice of words. Critical Start’s Jones said the “discrepancy between Dell’s downplayed assessment and the potential ramifications underscores the need for greater transparency. A more comprehensive explanation of the breach’s scope and potential consequences would not only empower customers to take appropriate precautions but also rebuild trust in Dell’s commitment to data security.”

A user on Reddit who said they received the email agreed.

“They claim ‘no significant risk’ yet bad actors having access to your hardware information, including original configuration, is VERY bad imo,” they wrote. “They are trying to make this ok and not a big deal, but what they should be doing is warning people to make sure they arent [sic] using any default login, change their IDRAC logins etc etc. Poor communications from Dell on this one.”

John Bambenek, president at cybersecurity firm Bambenek Consulting, who also was affected by the data breach, told Security Boulevard he was glad it didn’t include highly sensitive information. “I’m still not a fan of the information that did get out there, and if someone did misuse that somehow, I’m the one that pays the price for Dell not doing enough to protect it,” he said.