Pierluigi Paganini
May 08, 2023
In March 2022, Western Digital was hit by a ransomware attack and in response to the incident, it shut down several of its services. The company disclosed that an unauthorized party gained access to multiple systems.
“Western Digital is currently experiencing a service outage impacting the following products: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger.” reads the status page of the company on April 2, 2023. “We are working to restore service. We apologize for any inconvenience. Next update will be posted on Monday, April 3.
“On March 26, 2023, Western Digital identified a network security incident involving Western Digital’s systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company’s systems.” reads the press release issued by the company. “Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities.”
According to an Update on Network Security Incident the company states that account access to Western Digital’s online store also was impacted and that it plans to restore the service by the week of May 15, 2023.
The company is sending customers data breach notification letters to confirm that threat actors have stolen sensitive personal information in the March attack. The company said that they are working with leading forensic and security experts to investigate the extent of the incident in coordination with law enforcement.
“We are writing to notify you about a network security incident involving your Western Digital online store account. After learning of the incident, we quickly launched an investigation to understand its nature and scope. Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers.” reads the data breach notification sent by Western Digital to the customers. “The information included customer names, billing and shipping addresses, email addresses, and telephone numbers. As a security measure, the relevant database stored, in encrypted format, hashed passwords (which were salted) and partial credit card numbers. We have temporarily suspended online store account access and the ability to make online purchases. We expect to restore access the week of May 15, 2023.”
Exposed information included customer names, billing and shipping addresses, email addresses, and telephone numbers. The company pointed out that the compromised database contained customers’ hashed/salted passwords and partial credit card numbers
Western Digital is warning customers of being cautious of any unsolicited communications that ask for their personal information or refer them to a web page asking for personal information. Customers are recommended to avoid clicking on links or downloading attachments from suspicious emails.
The threat actors behind the ransomware attack are threatening to leak the stolen data and are using the leak site of the ALPHV ransomware group even if they appear not directly affiliated with the RaaS.
“We’ve seen speculation surrounding customer data. To clarify, we obtained a full backup of their SAP Back Office, which dates back to the last week of March. The backup contains everything and anything you could imagine from the beginning of their partnership with SAP. Industry Experts can explain to the public what a full backup entails.” reads a message published on the leak site by the group. “However, it’s important to know that WDC discovered the breach the next day and canceled their SAP contract. As a result, their online store remains non-functional! Their average cloud spend exceeds 7 figures every month.”
The last message from the group is dated April 28, a circumstance that suggests they are still attempting to extort Western Digital.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
