Hours ago holiday weekend in the United States, electronics giant Samsung announced its American systems had been breached a month earlier by malicious hackers who broke in and made off with reams of personal information about an unspecified number of customers.
The data breach is likely significant. Samsung is one of the largest technology companies with hundreds of millions of device owners — and users — around the world. But Samsung’s poorly explained data breach notification, coupled with the inexplicable delay in disclosing the data breach, has left customers reading the tea leaves and without a clear idea of what they can do to protect themselves, if at all.
TechCrunch tagged and annotated Samsung data breach notification 🖍️ with our analysis of what it means – and what Samsung is missing out on.
Samsung spokespeople, through crisis communications firm Edelman, declined to respond to questions we sent ahead of publication, citing the “ongoing nature of our coordination with law enforcement.”
What Samsung said in its data breach notice
Samsung knows the security incident is a data breach
Not all security incidents are created equal. Malicious hackers don’t always steal data; it depends on how the company’s systems and network are set up and how far the hackers go. In this case, Samsung knows that the data was “acquired” 🖍️ — or exfiltrated — by the hackers.
Remember, this is only the initial breach disclosure. Samsung provides the bare minimum of what the company has to tell you. The fact that hackers gained access to customers’ personal information either indicates that Samsung did not protect that data as it should have, or that the hackers had such deep access to Samsung’s network that they had access to customer data and possibly other highly sensitive files. This is also Samsung’s second known data breach this year after the Lapsus$ hacking team stole source code and other confidential internal documents from the company’s systems in March, although no customer information was taken.
Customers’ personal information has been stolen
Samsung says the data breach notice 🖍️ that the hackers “in some cases” took customer names, contact and demographic information, date of birth and product registration information. This suggests that not every Samsung customer is affected, but it could also mean that Samsung doesn’t yet know how much data was stolen in the data breach.
Samsung earlier said TechCrunch that customers provide information when they register their devices to access “service and support, warranty information, software updates and exclusive offers to purchase future Samsung products.” This data includes the Samsung product model, the date of purchase and the unique identifier of the device, such as IMEI number for phones and advertising identifiers or serial numbers for other devices such as smart TVs.
Unique identifiers are designed to be pseudonymous, so in the event of a data breach, these randomized strings of letters and numbers won’t be of much use. But unique identifiers are not fully anonymized and can be combined with other data for targeted advertising or to identify users or track someone’s online activity.
Demographic data includes accurate geolocation data
Samsung’s notice of the data breach included a vague reference to “demographic information” that was stolen by the hackers. Samsung says it’s collecting this unspecified demographic information 🖍️ to “help provide the best possible experience with our products and services” — or another way of saying targeted advertising.
The list is long and you should take the time to read it carefully yourself. The short version is that Samsung collects technical information about your phone or other device, how you use your device, such as what apps you have installed and which websites you visit, and how you interact with ads that are used by advertisers and data brokers to retrieve information about you. The data may also include your “precise geolocation data”, which can be used to identify where you go and who you meet. Samsung says it collects information about what you watch on its smart TVs, including which channels and programs you’ve watched.
Samsung also says it “may receive other behavioral and demographic data from trusted third-party data sources,” meaning Samsung buys data from other companies and combines it with its own customer information stores to learn more for you, again for targeted advertising. Samsung did not say which companies, such as data brokers, it receives this data from.
But that same data, in the hands of bad actors, can reveal a lot about a person and their online habits.
Why doesn’t Samsung just say any of this in its data breach notice? While the data may not be personally identifiable, it is still personal in nature as it relates to tastes, preferences and our real-world activity, which is why the smallest details of what companies like Samsung collect for you, are often buried in privacy policies that no one reads (and we are all guilty of it).
Samsung declined to say whether data originating from third parties was compromised in the breach, but did not dispute our characterizations when contacted by spokespeople ahead of publication.
What Samsung didn’t say in its data breach notice
Samsung won’t say how many customers are affected
Samsung declined to tell TechCrunch how many customers were affected by the breach. It’s either possible that Samsung doesn’t know, which is unlikely since it has already emailed customers it believes are affected. Or, which is more likely 🖍️is that the number of affected customers is so large that Samsung doesn’t want you to know because the company would find it embarrassing.
Samsung has hundreds of millions of users, but rarely discloses how many customers it has. Even 1% of affected customers can still amount to millions or tens of millions of affected users.
It is not clear why Social Security numbers are mentioned
The data breach notice obviously notes 🖍️ that the breach “did not affect Social Security numbers or credit and debit card numbers.” Reassuring at first glance, but the wording is unclear. TechCrunch asked Samsung whether it collects and stores Social Security numbers and that that data was not affected, but the company declined to say — only that the issue “did not affect” Social Security numbers. Samsung collects social security numbers as part of its financing options and as a requirement for Samsung Money users.
Why did it take a month to notify customers?
I’m looking at the timeline of the violation 🖍️, Samsung says the hackers stole data in “late July 2022,” which a generous reading could be interpreted as any point after mid-July. Samsung can reveal the date – if it knows it. It’s also worth noting that this is the date Samsung says the data was exfiltrated from its network, and it doesn’t include how long the hackers spent on Samsung’s systems before they were finally discovered. It discovered the data exfiltration on August 4, meaning Samsung didn’t know for weeks that customer data had been stolen.
As for the discovery of the breach a month later, just hours before the end of the business day on a Friday before a long holiday weekend? Well, that’s just bad PR.