Customers' personal info stolen in data breach, Western Digital says
SSD makers admit names, addresses, and encrypted passwords were pinched
Western Digital, the PC storage giants behind some of the best gaming SSDs, have released an update on a data breach that occurred in late March. Uplifting news, it is not: the "network security incident" was a large-scale case of digital thievery, with the culprits stealing a database containing the names, billing and shipping addresses, email addresses, and telephone numbers of customers to WD's online store.
The plundered database also included encrypted and salted passwords and partial credit card numbers, according to the statement. Western Digital are contacting affected users directly, and have temporarily shut down their store.
Though the company first publicly acknowledged the breach with a press release on April 3rd, more than a week after the March 26th incident took place, Western Digital kept quiet on both the content and the nature of the breach while they investigated. TechCrunch, however, soon reported it as an extortion attempt, with the then-unnamed hackers demanding an eight-figure sum for the stolen data’s return. Ransomware group BlackCat ultimately claimed responsibility, and according to security researcher Dominic Alvieri have already been sharing screenshots of other pilfered material including Western Digital’s internal comms and videoconferences.
"We are aware that other alleged Western Digital information has been made public,” the latest WD statement reads. “We are investigating the validity of this data and will continue reporting our findings as appropriate."
"Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We'd like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet."
Despite the modus operandi of the apparent thieves, this doesn’t appear to technically be a ransomware attack, which would normally involve the perpetrator encrypting an application or service to block the victim’s access until they pay up. Still, by Western Digital’s own admission, an awful lot personally identifiable information has fallen into very much the wrong hands. If you’ve bought an SSD or hard drive from their official store, be sure to check your email and set about changing your passwords.