The lack of transparency could be cause for concern, but the data stolen is not high value.
Samsung announced on Sept. 2, 2022 its second data breach of 2022. In a statement that provided little detail about the exact nature of the breach, the company said that name, contact, demographic information, date of birth and product registration information of “certain customers” was impacted.
Which customers were affected by the data breach?
The company did not specify which type of customers — business or consumer, for example — were impacted, give a breakdown of affected regions or provide any other information. This lack of specificity should lead all customers to conclude that their data is part of the breach.
SEE: Mobile device security policy (TechRepublic Premium)
“As breach disclosures go, this is a mixed bag,” said Chris Clements, vice president of Solutions Architecture at Cerberus Sentinel. “The lack of transparency on the number of individuals impacted as well as the delay in notifying them combined with a late Friday holiday weekend release seem like clear attempts to minimize the incident.”
The company has set up a FAQ page for customers that states the initial breach was discovered in late July 2022 and that by August 4 they had determined personal data was exfiltrated from “some of Samsung’s U.S. systems.” The news was made public a month later on Friday, September 2.
Unlike the March breach, which impacted the source code of Galaxy smartphones according to multiple news sources, the company said this beach did not impact consumer devices. The company also said that social security and credit card numbers were not at risk.
“Unfortunately, this breach is the second for Samsung this year, when cybercriminals stole source code and other technical information,” said James McQuiggan, security awareness advocate at KnowBe4. “With the collection of user information, targeted attacks could occur against them relating to Samsung products they own.”
New data breach likely a result of last hack
Given the difficulty of completely eliminating malware once it has infiltrated a corporate network, especially once as large and complex as Samsung’s, the latest incident could well be a continuation of the March hack, said Chad McDonald, CISO of Radiant Logic, an identity and access management vendor.
“The fact that they sat on this for as long as they did before they did a public disclosure … implies to me they were less concerned about urgency,” he said. “This makes me feel like this was quite likely just a continuation of [the former breach] they just hadn’t discovered yet.”
The other most likely threat vector the attackers used to gain access was a phishing email, McDonald noted.
“It’s the easiest way and it’s a mathematical game, right? You send a million emails and then you get two clicks … to get the keys to the kingdom, so to speak,” he said.
Samsung could be facing regulatory action
As for the data that Samsung said was exfiltrated, McDonald does not see it as high risk.
The impact of the breach may be far more harmful to Samsung because they waited so long to disclose it publicly. If any of the stolen data is from EU customers, then Samsung may be in violation of Article 33 of the General Data Protection Rule, which states an organization must notify each affected country’s supervisory authority within 72 hours “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
“Again, you’ve got so many regulations right now stipulating that you have an immediate response … there’s two or three in the U.S.,” McDonald said. “But I don’t think there’s been a lot of regulatory teeth around that. GDPR is the heavy hitter on the penalty side right now.”
To obtain more information about the breach, TechRepublic reached out to Samsung’s U.S. media relations team. As of publication, they have not responded.