author photo
By Cam Sivesind
Fri | May 10, 2024 | 11:44 AM PDT

Dell, one of the world's largest technology companies, has just disclosed a major data breach that may have compromised the personal information of tens of millions of current and former customers.

According to an internal investigation by the computer giant, hackers managed to gain unauthorized access to Dell's databases sometime in 2022. The breach went undetected for several months before finally being discovered in early 2023.

Dell revealed that names, email addresses, phone numbers, and other sensitive data belonging to approximately 49 million customers were exposed in the incident—including both individual consumers as well as employees at corporate customers.

Importantly, Dell stated that payment card and banking information does not appear to have been accessed during the breach. However, it is still investigating whether more sensitive data like passwords or encrypted credit card info may have been compromised.

This latest data breach ranks among the biggest consumer privacy lapses of the last decade in terms of the sheer number of people potentially affected. Dell now faces the daunting task of directly notifying impacted customers and may be on the hook for millions in damages and legal fees.

Here's the message Dell sent out to affected customers on April 9th:

"An important message about your Dell information

Hello,

Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.

What data was accessed?

At this time, our investigation indicates limited types of customer information was accessed, including:

Name
Physical address
Dell hardware and order information, including service tag, item description, date of order and related warranty information

The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information.

What is Dell doing?

Upon identifying the incident, we promptly implemented our incident response procedures, began investigating, took steps to contain the incident and notified law enforcement. We have also engaged a third-party forensics firm to investigate this incident. We will continue to monitor the situation.

What can I do?

Our investigation indicates your information was accessed during this incident, but we do not believe there is significant risk given the limited information impacted. However, you should always keep in mind these tips to help avoid tech support phone scams. If you notice any suspicious activity related to your Dell accounts or purchases, please immediately report concerns to security@dell.com."

Data security experts are highly critical of Dell's failure to detect the breach for such an extended period, leaving customer data vulnerable. They note that large enterprises must have robust cybersecurity monitoring and response plans in place.

Richard Halm, Senior Attorney at Clark Hill PLC, said the length of dwell time is concerning.

"A threat actor sitting in the network for several months is an extremely long time and raises several issues. First, from an investigatory standpoint, its going to be difficult to identify what data the threat actor potentially accessed as logs roll over," Halm said. "Second, it raises questions about intent. If this was a ransomware group, once they had sufficient access and exfiltrated data, they would have triggered the ransomware. This usually takes days or sometimes weeks. The dwell time tends to indicate a more sophisticated actor. It also may indicate that their network was properly segmented and that the threat actor wasn’t able to move laterally."

Steven Aiello, Field CISO at AHEAD, said, "The fact that the threat actors were inside Dell's network for so long is highly problematic. If you look at most threat intelligence reports, dwell times for ransomware activities are dropping. The fact that the attacker lay dormant for so long suggests they were after something more than a quick payday.

Dell provides organizations responsible for critical infrastructure with hardware and software solutions, including backup and recovery technologies. These technologies facilitate recovery from ransomware events, cybercrime, or cyber warfare. My hope is that Dell is thoroughly validating their code and supply chain for any evidence of tampering. If attackers were able to modify code responsible for operating critical infrastructure systems, this could quickly escalate from a data breach to a national security incident."

According to Jordan Fischer, Cyber Attorney and Partner at Constangy: "At this point, Dell is stating that the impacted data does not pose a significant risk to individuals. This will be something to monitor as more information is discovered in the investigation. Because of the extent of customers impacted, it will be important for those customers to remain vigilant in their communications with Dell, as threat actors could attempt to use the stolen information to impersonate Dell and intercept communications.

This breach comes on the heel of many headline-making breaches in these last few months. It will be interesting to see how regulators, both in the federal government and in states that maintain a consumer privacy law, approach Dell and its overall security following this incident."

Cybersecurity experts in the vendor space had additional comments.

Agnidipta Sarkar, Vice President, CISO Advisory, at ColorTokens:

"Because the data supposedly contains information about systems purchased from Dell between 2017-2024, and it contains personal information such as full names, addresses, cities, etc., it becomes a potential attack vector for someone who can corelate this information with other publicly available info," Sarkar said. "This can then be used to commit fraud or fool individuals with an intent to earn money, especially because today we are seeing AI and deep fakes that could result in the loss of someone's lifelong savings. This could result in litigation due to privacy violation and, depending on how much the info is misused, it could lead to unwanted legal exposure for Dell.

Could this have been prevented? Yes, and no. Everyone in the security community would tend to find fault with the teams handling the cause and impact of the breach, but in reality, only those who are in the middle of this breach know really how this could have been prevented. However, generically, with micro-segmentation capabilities available today, it is possible to contain this kind of attack even if an initial access has been made."

Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start:

"The Dell data breach exposes a concerning pattern, even if the company maintains that only basic customer information was compromised. Leaked names, addresses, and purchase history constitute a privacy intrusion, potentially enabling attackers to craft highly targeted schemes," Jones said. "Phishing attempts impersonating Dell support to steal financial information or targeted marketing campaigns leveraging purchase history for manipulative tactics are both realistic possibilities. This incident highlights the potential for misuse of seemingly innocuous data. Furthermore, the discrepancy between Dell's downplayed assessment and the potential ramifications underscores the need for greater transparency. A more comprehensive explanation of the breach's scope and potential consequences would not only empower customers to take appropriate precautions but also rebuild trust in Dell's commitment to data security."

John Bambenek, President at Bambenek Consulting and a Dell customer affected by the breach:

"Companies always have a wide variety of information about their customers. As someone personally affected by this breach, I'm glad it doesn't have highly sensitive information," Bambenek said. "However, I'm still not a fan of the information that did get out there, and if someone did misuse that somehow, I'm the one that pays the price for Dell not doing enough to protect it."

For consumers, the Dell data breach is yet another reminder of the persistent risks of having personal information spread across numerous corporate databases. Experts recommend closely monitoring accounts for any suspicious activity and considering identity theft protection services.

Dell has stated it is working closely with law enforcement and cybersecurity firms as the investigation continues. The company also promises to take steps to harden their security posture moving forward.

[RELATED: Microsoft Doubles Down on Security After Major Russian Cyberattack]

"From a data access or exfiltration perspective, I'm more concerned about theft of IP related to their hardware, the security of their managed services and/or software related to their hardware," Halm added. "I’d like to see more assurance that there wasn't a broader compromise."

Halm is presenting on "How to Protect Yourself as a Security Leader" at SecureWorld Chicago on June 6th.

Comments