Samsung Breach

More insecurity emerges.

Samsung Breach Slams Consumers  By David Geer, Commissioned by CACM Staff

November 3, 2022

Samsung waited a month to disclose the breach, which one industry observer said "shows that they also believe the compromise is widespread."

"Samsung recently discovered a cybersecurity incident that affected some of your information," the breach notification read. Samsung addressed the email to me and other customers involved in the breach.

On Sept. 2, Samsung notified specific U.S. customers that a late July breach affected some of their data inside U.S. systems. According to the breach notification, customers had differing combinations of their names, contact and demographic data, birthdays, and product registration information stolen. The breach only involved Samsung's servers, according to AppleInsider; Samsung consumer devices and in-app control interfaces remained untouched. 

"We want to assure our customers that the issue did not impact Social Security numbers or credit or debit card numbers," the Samsung email continued. We know little about the late July breach, which Samsung confirmed internally by early August, though it didn't disclose it until September.

Litigants in a class action suit against Samsung Electronics of America asserted that the July breach, together with one in March, affected more than half of U.S. Samsung customers, according to Dark Reading.

That's a lot of people to leave in the dark. All my emails to the Samsung address generated automated responses about the breach, with no new information. We can surmise as much from what we don't know about the breach as what we know.

Did the March Breach Leave a Backdoor Open?

There are some clues to who breached Samsung and how they did it. According to Tom's Hardware, the Lapsus$ APT group breached Samsung source code secrets in March.

According to a KPMG advisory, source code secrets include access credentials such as API keys, access tokens, RSA keys, identifying certificates, and database connection strings buried in the software. According to the KPMG advisory, Samsung may not have removed the malware (malicious software) infestations from the March attack, so the July breach may have been an extension of the one in March.

"It is also interesting that Samsung waited a month to disclose the breach, which shows that they also believe the compromise is widespread. There is a fair chance that the most recent breach ties to the one disclosed in March," says Safi Raza, director of cybersecurity at Fusion Risk Management, a risk management consulting services and software solutions provider. ... '