Samsung has disclosed a year-long data breach affecting customers who made purchases on its UK online store between July 1, 2019, and June 30, 2020.
The Japanese tech giant discovered the data breach after three years on November 13, 2023, and began notifying impacted individuals via email.
“We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained.”
In the breach notification letters sent to impacted customers and shared on X by the Have I Been Pwned? founder Troy Hunt, Samsung disclosed that the threat actors exploited a vulnerability in a third-party business application.
Samsung confirms data breach at UK online store
Samsung investigated the online store data breach and confirmed that the threat actors extracted customer data, including names, phone numbers, addresses, and email addresses.
However, no financial data, like bank or credit card details, or customer account information like passwords, were impacted. Similarly, the data breach only impacted UK online store customers.
“While the focus is on the fact that no financial information was compromised, oftentimes personal information can be more valuable to criminals as they can use the information repeatedly to attack individuals,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “Which is why continued user awareness training is key, because as long as breaches continue to occur, individuals will remain the primary target of attack.”
Samsung said it took all the necessary steps to address the security vulnerability, notified the impacted customers, and reported the data breach to the UK’s Information Commissioner’s Office. ICO’s spokesperson confirmed that the regulator was aware of Samsung’s UK online store cyber incident and would be making an inquiry.
However, the attacker’s identity, the number of victims impacted, and the status of the stolen information remain unknown or undisclosed. Seemingly, the attacker did not attempt to extort the company, allowing the online store data breach to remain a secret.
Meanwhile, some customers reported being breached, finding their information on the dark web, while others questioned the authenticity of the email alerts.
Multiple cybersecurity incidents over past two years
Samsung’s UK online store data breach is the third cybersecurity incident impacting the Japanese tech giant in two years.
The data included source code for applets running in the TrustZone environment responsible for sensitive device operations such as biometric unlock and Samsung Galaxy bootloader. Confidential data from third-party chipmakers such as Qualcomm was also accessed in Samsung’s US data breach. However, the threat actors did not access personal information, and Samsung said it had implemented security measures to protect users’ devices.
In September 2022, threat actors breached Samsung’s US systems and accessed some customer information, excluding financial information. The data breach resulted in a class action lawsuit alleging the company’s failure to protect collected personal information.
Class members stated that Samsung requests extensive personal information, such as dates of birth, geolocation data, and postal addresses, to access their products’ functionality, including device drivers.
Additionally, the company purports to provide robust security measures to protect personal information from unauthorized access.
“Samsung’s representations of strong and robust security have proved false and misleading—Samsung admittedly failed to safeguard the sensitive personal identifying information of millions of its consumers, or implement robust security measures to prevent this information from being stolen,” the class members stated.
They argued that they would not have purchased Samsung’s products if they anticipated their information was at risk.