Analysis of Samsung's data breach notice

Analysis of Samsung’s data breach notice

Hours before long US holiday weekend, electronics giant Samsung announced that its US systems had been hacked a month earlier by malicious hackers, who broke in and got away with tons of information personal data on an indeterminate number of its customers.

The data breach is likely significant. Samsung is one of the biggest tech companies with hundreds of millions of device owners – and users – around the world. But Samsung’s poorly explained data breach notice, coupled with its unexplained delay in disclosing the data breach, has left customers reading the tea leaves and without a clear idea of ​​what they can do to protect, if necessary.

TechCrunch has tagged and Samsung Annotated Data Breach Notice πŸ–οΈ with our analysis of what that means – and what Samsung leaves out.

Samsung spokespersons, via crisis communications firm Edelman, declined to answer questions we sent ahead of publication, citing the “ongoing nature of our coordination with law enforcement.”

What Samsung said in its data breach notice

Samsung knows a security incident is a data breach

Not all security incidents are created equal. Malicious hackers don’t always steal data; it depends on the configuration of a company’s systems and network and how far hackers travel. In this case, Samsung knows that the data has been “acquired” πŸ–οΈ β€” or exfiltrated β€” by hackers.

Remember that this is only the initial disclosure of the breach. Samsung provides the minimum of what the company has to tell you. The fact that hackers gained access to customers’ personal information either shows that Samsung did not protect this data as well as it should, or that the hackers had such deep access to Samsung’s network that they were able to access customer data and possibly other very sensitive files. It is also Samsung’s second known data breach this year after the Lapsus$ hacking team stole source code and other confidential internal documents from the company’s systems in March, although no customer information was taken.

Customers’ personal information was stolen

Samsung says in its data breach notice πŸ–οΈ that hackers “in some cases” took customer names, contact and demographic information, date of birth, and product registration information. This suggests that not all Samsung customers are affected, but it could also mean that Samsung does not yet know how much data was stolen during its data breach.

Names and dates of birth are personal information. It’s less clear what other data was stolen, but the clues are in the privacy policy.

Samsung previously told TechCrunch that customers provide information when registering their devices to access “service and support, warranty information, software updates and exclusive offers for purchase.” future Samsung products”. This data includes the Samsung product model, date of purchase, and unique device identifier, such as an IMEI number for phones and advertising IDs, or serial numbers for other devices such as smart TVs.

Unique IDs are designed to be pseudonymous so that in the event of a data breach, those random strings of letters and numbers won’t be of much use. But unique identifiers are not fully anonymized and may be combined with other data for targeted advertising or to identify users or track someone’s online activity.

Demographic data includes precise geolocation data

Samsung’s data breach notice includes a vague mention of “demographic information” that was stolen by hackers. Samsung says it collects this unspecified demographic information πŸ–οΈ to “help provide the best possible experience with our products and services” – or another way of saying targeted advertising.

Samsung’s US privacy policy explains this more explicitly. β€œAd networks allow us to target our messages to users by taking into account demographics, inferred user interests and browsing context. These networks may track users’ online activities over time by collecting information through automated means, including through the use of browser cookies, web beacons, pixels, device identifiers, logs servers and other similar technologies.

Samsung declined to tell TechCrunch what specific data the “demographic information” includes, but there are more clues in the company’s separate privacy policy for advertising, which it links to in the breach notice. data and explains what demographic information includes.

The list is long and you should take the time to read it carefully for yourself. The short version is that Samsung collects Technical Information about your phone or other device, how you use your device, such as the apps you have installed and the websites you visit, and how you interact with them. advertisements, which are used by advertisers and data brokers to derive information about you. The data may also include your “precise geolocation data”, which may be used to identify where you are going and who you are meeting. Samsung says it collects information about what you watch on its smart TVs, including the channels and programs you’ve watched.

Samsung also says it “may obtain other behavioral and demographic data from trusted third-party data sources,” which means Samsung buys data from other companies and combines it with its own information stores. on customers to learn more about you, again for targeted advertising. Samsung wouldn’t say which companies, such as data brokers, it gets this data from.

But that same data in the hands of bad actors can reveal a lot about a person and their online habits.

Why doesn’t Samsung say any of this in its data breach notice? Although the data is not personally identifiable, it is still personal in nature as it relates to tastes, preferences and our activity in the real world, which is why the finer details of what companies like Samsung collect at your topic are often buried in privacy policies that no one reads (and we’re all guilty of that).

Samsung declined to say whether any third-party data was compromised in its breach, but did not dispute our characterizations when spokespersons were contacted prior to publication.

What Samsung doesn’t say in its data breach notice

Samsung won’t say how many customers are affected

Samsung declined to tell TechCrunch how many customers are affected by the breach. Samsung may not know, which is unlikely since it has already emailed customers it believes are affected. Or, what’s more likely πŸ–οΈis that the number of affected customers is so large that Samsung doesn’t want you to know because the company would find it embarrassing.

Samsung has hundreds of millions of users, but rarely lists the number of its customers. Even 1% of affected customers could still represent millions or even tens of millions of affected users.

It’s unclear why social security numbers are mentioned

The Data Breach Notice ostensibly note πŸ–οΈ that the breach “did not impact social security numbers or credit and debit card numbers.” A priori reassuring, but the formulation is not clear. TechCrunch asked Samsung if it collects and stores Social Security numbers and that data isn’t affected, but the company declined to say β€” only that the issue “didn’t impact” the numbers. of social security. Samsung collects social security numbers as part of its financing options and as a requirement for Samsung Money users.

Why did it take a month to notify customers?

To look at the breach timeline πŸ–οΈ, Samsung claims the hackers stole data “in late July 2022,” which a generous read could interpret as any time after mid-July. Samsung may disclose the date β€” if known. It’s also worth noting that this is the date Samsung claims the data was exfiltrated from its network and does not include the time the hackers spent in Samsung’s systems before being exposed. finally discovered. He discovered the data exfiltration on August 4, meaning Samsung didn’t know for weeks that customer data had been stolen.

As for disclosing the breach a month later, just hours before close of business on a Friday before a long holiday weekend? Well, that’s just miscommunication.

Samsung updated its privacy policy revealing its breach

On the same day it announced its data breach, Samsung also pushed a new privacy policy to its users. Thanks to a reader who alerted TechCrunch to the matter, the new policy now explicitly states πŸ–οΈ that Samsung may use a customer’s “precise geolocation” for marketing and advertising purposes with the user’s consent. The new policy also specifies πŸ–οΈ how long Samsung stores data that users share from the quick share feature. Samsung says it can “collect content you share, which will remain available for 3 days.”

TechCrunch asked Samsung how it defines what it defines as user consent, but a spokesperson wouldn’t comment. Samsung wouldn’t say why it pushed a new privacy policy, but said the update was “unrelated” to the incident and was originally planned.


If you know more about the Samsung data breach or if you work at Samsung, you can contact this author through Signal at +1 646.755.8849 or through SecureDrop.

#Analysis #Samsungs #data #breach #notice

Leave a Comment

Your email address will not be published.