Korean smartphone and TV giant, Samsung, lost an unknown amount of data relating to an unknown number of customers—and kept quiet about it for almost a month.
So what happened? Who was affected? And are Samsung users safe?
What Happened in the Samsung Data Breach?
The short answer is that Samsung doesn't know how the data breach happened—or at least, it isn't saying in the September 2nd press release, which states simply that, "In late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems".
Samsung uncovered the breach on August 4th, 2022, and released this limited information a full 30 days later. Data breach disclosure legislation varies across the US, but it's a common stipulation that notification of such a breach be made as expeditiously as possible and without unreasonable delay. The maximum allowable timeframe for disclosure is between 30 days (Colorado, Florida) and 90 days (Connecticut). By delaying the disclosure this long, Samsung may be putting themselves in some jeopardy.
Who Was Affected by the Samsung Data Breach?
As to who was affected, Samsung isn't even giving out approximate numbers. It could be every customer who has ever owned a Samsung device, or it could be a mere handful. We don't know yet. Samsung has tried to reassure affected users by saying:
"We value the trust of our customers and, should we determine through our investigation that the incident requires further notification, we will contact you accordingly."
Android Police reports that, earlier this year, the hacking group, Lapsus$, claimed to have exfiltrated 190GB of sensitive data from Samsung, including algorithms for all biometric unlocking operations, source code for the bootloader for newer Samsung products, and all the source code behind the process of authorizing and authenticating Samsung accounts.
What Can You Do About It?
Okay, so what can you actually do about this breach? With this level of information being revealed, you should engage a credit monitoring service to keep an eye on any new card or loan applications in your name. Even better, freeze your credit until you're sure you're safe. It's probably a good idea to change your phone number, too.
And if you're concerned and want reassurance or further advice, contact Samsung directly. You can express your dissatisfaction too, so that, if something like this happens again, they don't treat your information in so seemingly careless a manner.
Close
The statement continues:
"We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information. The information affected for each relevant customer may vary."
Contact details likely include home address, phone number, and email. Additional information collected during product registration includes gender, precise geolocation data, Samsung Account profile ID, username, and more. Even just your email address can be valuable to criminals.
Samsung's half-hearted reassurance may console some customers that the criminals aren't using their credit card details to, for instance, buy untraceable cryptocurrency. However, the amount of information which the company admits may have been taken is staggering, and not something so easily passed off as immaterial.
With this level of detail, it should be relatively trivial for attackers to construct precision spearphishing attacks, engineer SIM swaps, and take out credit and loans in a victim's name.
Perhaps that's why Samsung's release takes pains to note that, while it is not offering free credit monitoring to victims, "you are entitled under U.S. law to one free credit report annually from each of the three major nationwide credit reporting agencies."