A month before the long holiday weekend in the United States, the electronics giant announced that its U.S. systems had been broken into and personal information of many of its customers had been stolen.
It's likely that the data hack is significant. The company has hundreds of millions of device owners around the world. Customers were left without a clear idea of what they could do to protect themselves after reading the poorly explained data breach notice.
With our analysis of what it means, we marked up and annotated the notice.
Our questions were not answered due to the "ongoing nature of our coordination with law enforcement" according to the spokesman for the company.
It is a security incident.
Security incidents are created differently. Depending on how a company's systems and network is set up, malicious hackers don't always steal data. The data was obtained by the hackers.
This is only the beginning of the problem. The minimum of what the company has to say is provided by SAMSUNG. The fact that the hackers were able to access customer data and other highly sensitive files is a sign that the company did not protect that data as well as it should. The Lapsus$ hacking crew stole source code and other confidential internal documents from the company's systems in March but no customer information was taken.
Personal information of customers was taken.
In some instances, the hackers took customer names, contact and demographic information, date of birth, and product registration information. It's possible that not every customer is affected, but it's also possible that the amount of data stolen isn't known.
Personal information includes names and birthdates. The privacy policy gives clues as to what other data was taken.
Customers give information when they register their devices to access service and support, warranty information, software updates, and exclusive offers. The data includes the product model, date of purchase, and the device's unique identifier, such as an IMEI number for phones and advertising IDs.
In the event of a data breach, the randomized strings of letters and numbers wouldn't be used. Unique identifiers can be combined with other data for targeted advertising or for identifying users, but they are not completely anonymous.
geolocation data is included in demographic data.
There is a vague mention ofdemographic information that was stolen by the hackers. To help deliver the best experience possible with our products and services, we collect this undisclosed demographic information.
According to the U.S. privacy policy, ad networks allow us to target our messaging to users. Through the use of automated means, these networks can track users online over time, including through the use of browser cookies, web beacon, and other similar technologies.
There are more clues in the company's privacy policy for advertising, which it links to in the data breach notice, about what demographic information includes.
The list is lengthy and you should read it carefully. There is a version that says that the company collects technical information about your phone, how you use it, and how you interact with ads, which are used by advertisers and data brokers. You can use the data to identify where you go and who you meet with. Information about what you watch on your smart TV is collected by the company.
In order to get more behavioral and demographic data from trusted third-party data sources, the company buys data from other companies and combines it with its own stores of customer information to learn more about you. The company wouldn't say which data broker it gets the data from.
The data in the hands of bad actors can show a lot about a person.
Why don't they just say all of this in the notice? While the data may not be personally identifiable, it is still personal in nature since it is linked to tastes, preferences, and our real-world activity.
When asked if data from third-parties was compromised in the incident, the company did not dispute our characterizations.
It isn't clear how many customers are affected.
It wasn't clear how many customers were affected by the incident. Since it has already sent email to customers it believes are affected, it is unlikely that either of them knows. It is possible that the number of customers affected is so large that the company doesn't want you to know.
It doesn't break out how many customers it has. Tens of millions of affected users could still be affected.
Social Security numbers are mentioned, but it's not clear why.
Social Security numbers or credit and debit card numbers weren't impacted by the data breach, according to the notice. It's reassuring on the face of it. The company wouldn't say if it collects and stores Social Security numbers, but it did say that the issue didn't affect Social Security numbers. Social Security numbers are collected by the company as part of its financing options.
It took a month to let customers know.
The hackers stole data in late July 2022, which could be seen as any point past the middle of July, according to the statement from the company. If it knew the date, it could reveal it. It is important to note that this is the date that the data was exfiltrated from its network and this does not include how long the hackers spent in the systems before they were discovered. It was discovered on August 4 that the data had been stolen.
It was disclosed just hours before the close of business on a Friday before a long holiday weekend. That is just bad public relations.
The privacy policy was updated by the company.
On the same day it was announced that it had a data hack, it also pushed a new privacy policy for its users. The new policy explicitly states that the company can use a customer's precise location for marketing and advertising with the user's consent. How long the data that users share from the Quick Share feature is stored is now spelled out in the policy. The contents you share will be available for three days.
A spokesman for the company wouldn't say what it means by user consent. The update was not related to the incident and was previously planned, according to the company.
You can get in touch with the author via either Signal or SecureDrop if you know more about the incident.
How to decode a data breach notice