Western Digital: Customer info stolen in that IT attack
Hard times for buyers of these hard drives
Customer information was stolen from the IT systems of Western Digital in the March security breach we've previously reported, forcing the storage manufacturer to shut down its online store until at least next week.
Western Digital (WD) disclosed the intrusion in early April, saying that in late March its engineers discovered someone had broken into "a number" of the biz's systems. In a brief statement at the time, officials said they had disconnected their systems and services from the public internet and were working to restore regular operations.
WD also said it was working with outside forensic experts to probe and repair the damage, though offered little other info.
In an update late last week, WD admitted the intruders grabbed a copy of the database powering Western Digital's online store. That trove included a range of personal information of the store's customers – including names, billing and shipping addresses, email addresses, and telephone numbers.
Other data stolen included – in "encrypted" form – hashed and salted passwords and partial credit card numbers.
- Western Digital open to spinning out flash, hard disk businesses
- After quietly switching to slower NAND in an NVMe SSD, Western Digital promises to be a bit louder next time
- Western Digital shingled out in lawsuit for sneaking RAID-unfriendly tech into drives for RAID arrays
- Elliott Management to WDC board: Spin out or sell flash biz
The company's online store features a small banner that reads: "We'll be back soon. We are unable to process orders at this time." And where a button marked "Buy Now" would usually appear, it's been replaced by one marked "Find A Reseller."
The disk slinger's plan is to restore access to accounts the week of May 15. The My Cloud service – which was shut down as part of the proactive measures taken after the security breach and includes such stuff as My Cloud Home, My Cloud Home Duo, My Cloud OS5, and SanDisk ibi – was restored April 13.
WD also outlined steps customers can take to protect themselves against fraud and other abuse of their personal information, and advised now is the time for heightened awareness of crooks using the intrusion to lure victims to phishing pages.
What wasn't included in the letter was any mention of the usual credit monitoring after a privacy blunder. The Register has contacted WD for more information and will update the story if the business responds.
Who is behind this?
There also is the issue of the stolen information being released publicly by the miscreants who acquired it. The crooks claiming to have orchestrated the theft boasted at one point they had stolen 10TB of data from Western Digital, including WD's code-signing certificate. The crew said they wanted an eight-figure ransom payment.
In late April, the BlackCat ransomware group – also known as ALPHV – posted to its website purported screenshots of data stolen from WD. It also reportedly interrupted a video-conference call among Western Digital's security incident response team, taunting the group, and even going as far as sharing a screenshot of the meeting, according to cyber researcher Dominic Alvieri.
Some WD users voiced their frustrations over the breach, and what they said was the vendor's tardy communication.
"Took them long enough to say something," one netizen wrote on Reddit, noting that on another subreddit channel, "people have been talking about their site doing weird shit for what seems like months. Removing the ability to buy drives and stuff like that."
Another user said that "we need laws that heavily hurt companies that suffer 'customer data breaches', and hurt them even more if they are found to try and cover them up. We need to incentivize these companies to stop holding customer data."
Others took a more measured view.
"To be fair all the things they listed seem pretty essential if you're selling physical goods to people," one person wrote. "Are they just supposed to not have a record of where things got sent to or something? I'm all for data privacy, but I really don't think this is a case that deserves heavy penalties.
"The fact is that sometimes shit happens – you can do everything right and still have things go wrong. I don't think it's fair to penalize companies for this sort of thing unless it's clear that they were capable of avoiding it or reducing the impact but chose not to." ®