Dell has been in the spotlight for all the wrong reasons this past week, after a malicious actor took to the media claiming he accessed 49 million Dell customer records without the company knowing.
Here’s everything we know so far.
How did the Dell data breach happen?
On May 10th, an individual identifying as Menelik stepped forward to the media, alleging a successful breach into Dell’s internal systems spanning several weeks.
According to their account, they gained access to a Dell online portal, from which they purportedly stole customer names, physical addresses, and order details. Shortly thereafter, they claimed to have struck again, targeting a separate portal to steal names, phone numbers, and email addresses of Dell patrons.
The method they described for the initial breach involved registering under various guises as Dell resellers on a designated portal. Once these partner accounts received Dell’s endorsement, Menelik claimed to have employed brute force techniques on customer service tags—a string of seven alphanumeric characters consisting solely of numbers and letters.
“I sent more than 5,000 requests per minute to this page that contains sensitive information,” Menelik asserted. “Believe it or not, I kept doing this for nearly 3 weeks, and Dell didn’t notice anything. Nearly 50 million requests… After I thought I got enough data, I emailed Dell multiple times about the problem. It took them almost a week to fix it all.”
Following the breach, Menelik purportedly advertised the stolen data on a dark web hacking forum.
How has Dell responded?
Despite the hacker in question notifying Dell about the breach, their response was slow. For one, the company released a statement saying that there was no “significant risk to our customers”.
However, the data stolen included sensitive information like names and postal addresses, alongside other data relating to purchases of Dell products. All of this information could be used for highly-targeted phishing attacks.
Moreover, the presence of an intruder on Dell’s network for weeks without detection raises concern about the company’s overall cybersecurity resilience.
While Dell states that it initiated incident response procedures upon receiving an email from Menelik, it appears the announcement of the incident has taken customers and compliance officials by surprise.
For example, Ireland’s Data Protection Commission (DPC) has only just received a data breach notification from Dell, even though the company has known about the incident for weeks, if not months.
Lessons learned
There are several lessons to be learned from the Dell incident. These are as follows:
- Transparency: Underplaying the severity of a breach doesn’t bode well with the media, customers, or privacy watchdogs. If your company suffers a data breach, lean into transparency and accountability.
- Multi factor authentication: MFA isn’t a silver bullet. But it’s a simple way to prevent account takeovers like this.
- Zero trust: Employing a zero trust model would have prevented the hacker–even with legitimate account access–from accessing sensitive information without further verification.