Late last week, after threat actors posted evidence of a hack on BreachForums, Dell started warning 49 million customers that a threat actor has obtained their personal information through a data breach using a partner portal API they accessed posing as a fake company. The breach was first reported by DailyDark Web. The data includes detailed customer information on Dell system purchases s between 2017 and 2024. With a huge portion of Dell’s $88.4 billion in annual revenue coming from sales to the US government, this reaches deeply into that sector.
The data includes customer information of purchases made from Dell in the US, China, India, Australia, and Canada. Data stolen includes:
- The full name of the buyer or company name
- Full address
- Unique seven-digit service tag of the system
- Shipping date of the system
- Warranty plan
- Serial number
- Dell customer number
- Dell order number
The threat actor known as Menelik put the data up for sale on the Breached hacking forum on April 28th and told BleepingComputer that they were able to steal the data from a portal for Dell partners, resellers, and retailers. All Menelik had to do was register multiple accounts under fake company names and he had access within two days without any additional verification.
“It is very easy to register as a Partner. You just fill an application form,” Menelik said.
“You enter company details, reason you want to become a partner, and then they just approve you, and give access to this “authorized” portal. I just created my own accounts in this way. Whole process takes 24-48 hours.”
The threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.
The threat actors said they emailed Dell on April 12th and 14th to report the bug to their security team but apparently Dell never replied to the emails and didn’t fix the bug until approximately two weeks later, around the time the stolen data was first put up for sale on the Breach Forums hacking forum.
Ted Miracco, CEO, Approov Mobile Security had this to say:
The breach was conducted via an API accessible through the partner portal, which Menelik accessed using the fake accounts. The ability to generate 5,000 requests per minute for an extended period without being flagged or blocked by Dell’s security systems points to inadequate rate limiting and abnormal activity detection on Dell’s APIs, beyond the blatantly lax vetting process for registering partners. This lack of robust API security controls such as proper throttling and anomaly detection mechanisms exposed Dell to prolonged unauthorized data extraction. The breach impacts customers across multiple major markets, including the US, China, India, Australia, and Canada, potentially exposing Dell to regulatory scrutiny and fines under various data protection laws like GDPR, CCPA, and others. Moreover, the breach should erode trust among Dell’s customers and partners, affecting its reputation negatively.
Dell has a lot of explaining to do. There is no way that this should have happened. I hope that Dell gets smacked silly by authorities everywhere so it send a message that companies have to make every effort to protect customer data without fail. And that there’s going to be punishment if that’s not happening.
Like this:
Like Loading...
Related
This entry was posted on May 14, 2024 at 8:44 am and is filed under Commentary with tags Dell, Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Dell Gets Pwned…. 49 Million Customers Affected
Late last week, after threat actors posted evidence of a hack on BreachForums, Dell started warning 49 million customers that a threat actor has obtained their personal information through a data breach using a partner portal API they accessed posing as a fake company. The breach was first reported by DailyDark Web. The data includes detailed customer information on Dell system purchases s between 2017 and 2024. With a huge portion of Dell’s $88.4 billion in annual revenue coming from sales to the US government, this reaches deeply into that sector.
The data includes customer information of purchases made from Dell in the US, China, India, Australia, and Canada. Data stolen includes:
The threat actor known as Menelik put the data up for sale on the Breached hacking forum on April 28th and told BleepingComputer that they were able to steal the data from a portal for Dell partners, resellers, and retailers. All Menelik had to do was register multiple accounts under fake company names and he had access within two days without any additional verification.
“It is very easy to register as a Partner. You just fill an application form,” Menelik said.
“You enter company details, reason you want to become a partner, and then they just approve you, and give access to this “authorized” portal. I just created my own accounts in this way. Whole process takes 24-48 hours.”
The threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.
The threat actors said they emailed Dell on April 12th and 14th to report the bug to their security team but apparently Dell never replied to the emails and didn’t fix the bug until approximately two weeks later, around the time the stolen data was first put up for sale on the Breach Forums hacking forum.
Ted Miracco, CEO, Approov Mobile Security had this to say:
The breach was conducted via an API accessible through the partner portal, which Menelik accessed using the fake accounts. The ability to generate 5,000 requests per minute for an extended period without being flagged or blocked by Dell’s security systems points to inadequate rate limiting and abnormal activity detection on Dell’s APIs, beyond the blatantly lax vetting process for registering partners. This lack of robust API security controls such as proper throttling and anomaly detection mechanisms exposed Dell to prolonged unauthorized data extraction. The breach impacts customers across multiple major markets, including the US, China, India, Australia, and Canada, potentially exposing Dell to regulatory scrutiny and fines under various data protection laws like GDPR, CCPA, and others. Moreover, the breach should erode trust among Dell’s customers and partners, affecting its reputation negatively.
Dell has a lot of explaining to do. There is no way that this should have happened. I hope that Dell gets smacked silly by authorities everywhere so it send a message that companies have to make every effort to protect customer data without fail. And that there’s going to be punishment if that’s not happening.
Share this:
Like this:
Related
This entry was posted on May 14, 2024 at 8:44 am and is filed under Commentary with tags Dell, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.