Dell Technologies is notifying customers of a preventable data breach that exposed their personal information via a poorly protected application programming interface (API).
The notification follows a recent BreachForum post by a threat actor auctioning the stolen data, allegedly belonging to 49 million customers.
Dell confirmed knowledge of the incident and being contacted by the threat actor concerning the exploited vulnerability. However, the company downplayed the risks facing the impacted customers.
Dell acknowledges data breach, 49 million customers impacted
The Round Rock, Texas-based computing giant said the data breach exposed a customer portal database with limited types of information related to purchases, as well as warranty information.
“We recently identified an incident involving a Dell portal with access to a database containing limited types of customer information including name, physical address, and certain Dell hardware and order information,” the company said.
Cybercriminals could use the leaked organization names to target businesses and leverage order and warranty information to craft compelling phishing messages for tech support scams. The phishing campaign could result in malware infections, including ransomware, financial fraud, credentials theft, or personal information exposure.
However, Dell assured customers that the data breach did not include payment information, email address, or telephone number. Subsequently, the tech giant does not believe the data breach poses any “significant risk to our customers given the type of information involved.”
Several security experts have strongly disagreed with Dell’s assessment of the cyber risk facing the impacted customers.
Sarah Jones, a Cyber Threat Intelligence Research Analyst at Critical Start, noted that “the Dell data breach exposes a concerning pattern,” with the leaked information capable of “enabling attackers to craft highly targeted schemes.”
“Phishing attempts impersonating Dell support to steal financial information or targeted marketing campaigns leveraging purchase history for manipulative tactics are both realistic possibilities,” noted Jones.
She observed that the contrast between “Dell’s downplayed assessment” and potential impacts “underscores the need for greater transparency.”
“A more comprehensive explanation of the breach’s scope and potential consequences would not only empower customers to take appropriate precautions but also rebuild trust in Dell’s commitment to data security,” added Jones
Similarly, Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, warned that attackers could merge the leaked information with personal information from other sources to target impacted customers.
“Because the supposed data contains information about systems purchased from Dell…, it becomes a potential attack vector for someone who can correlate this information with other publicly available info to commit fraud or fool individuals with an intent to earn money, especially because today we have AI and deep fakes that could result in loss of a person’s lifelong savings,” said Sarkar. “This could result [in] litigations due to privacy violations and depending on how much the info is misused, it could result in unwanted legal exposure for Dell.”
Meanwhile, Dell has hired external cyber forensics to investigate the incident, will continue to monitor the situation, and take unspecified steps to protect customer information. The hardware, software, and IT services company also advised customers to remain vigilant and report any suspicious activity.
Additionally, Dell has applied containment measures to prevent further access and launched an investigation with law enforcement authorities.
However, the company refused to divulge more information about the data breach, including the number of victims and how the threat actor gained access, citing an ongoing investigation.
In April, the Daily Dark Web first reported that a threat actor named Menelik was selling Dell’s stolen data on BreachForums.
According to the threat actor, the trove contained 49 million Dell customer records containing the order information of systems purchased from Dell between 2017-2024.
It includes full names of the person or organization, unique 7-digit service tag, country, postal code, physical address, city, province, order number, shipping date, serial number (monitors only), warranty plan, and Dell customer number.
Additionally, the threat actor alleged that the database includes records from enterprise clients, business partners, and educational institutions. The data breach mainly impacted customers in the United States, Canada, Australia, China, and India.
Although the threat actor withheld the price, they said the database was available for sale to a single buyer. However, the post was quickly deleted, suggesting that the database was promptly sold or Dell paid a ransom to prevent the customer information from leaking.
Dell hacker exploited poorly secured API
The threat actor told TechCrunch they registered a fictitious company on Dell’s partner portal and scraped the information from a poorly protected API.
The attacker allegedly sent over 5,000 requests per minute for nearly three weeks without being rate-limited. They also contacted Dell numerous times, disclosing the vulnerability, which took over a week to patch. Dell has acknowledged receiving the threat actor’s emails.
Dell has suffered data breaches in the past. In 2018, the tech giant experienced a cyber attack that resulted in unauthorized access and forced the company to reset user account passwords.