U.S. storage solutions provider Western Digital has suffered a security breach that granted an unauthorized third-party access to certain computer systems.
The San Jose, California-based computer hard drive manufacturer and cloud solutions provider responded by putting many servers offline, temporarily denying customers access to their data.
The semiconductor and electronics company said on April 3 that the data breach occurred on March 26, 2023.
Western Digital Corp. (WDC) manufactures client and enterprise physical storage solutions such as hard disks and solid state drives (SSDs) and also offers its customers cloud storage services. With a workforce of 65,000 employees, the company earned $18.9 billion in revenue and $2 billion in profit in 2022.
Its financial position and the critical services it provides make Western Digital a lucrative target for cyber extortion.
Western Digital’s security breach locks out customers from their cloud data
Western Digital said it took precautionary measures to contain the security breach and protect its business operations by switching off many servers.
“The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate.”
The shutdown affected My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and the SanDisk Ixpand Wireless Charger service.
According to the company’s status page, My Cloud Home and My Cloud OS 5 Services were still inaccessible, two weeks after the incident.
However, local access was still possible via Windows and Mac computers connected to the same network as the storage devices. The company published a list of instructions on enabling local access.
Unknown amount of data taken during security breach
Although an investigation was “in its early stages,” Western Digital believes that the security breach allowed the hacker to access certain data.
“Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”
However, the company did not disclose the nature of information likely accessed by the unauthorized third-party intruder.
Subsequently, Western Digital hired leading external security and forensics experts and was coordinating with law enforcement authorities to investigate the security breach.
“Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts,” the company stated.
Western Digital’s response suggests a likely ransomware incident
Whether the security incident was a ransomware attack remains unknown, and no threat group has publicly taken responsibility at the moment.
However, the nature of the attack and Western Digital’s response suggests that the security breach was likely a ransomware incident.
“Because ransomware continues to grow and continues to be a major threat for organizations of all sizes, organizations should have a plan to deal with these sorts of attacks,” said Erich Kron, Security Awareness Advocate at KnowBe4. “Due to the exfiltration of data, having a focus on preventative controls as well as recovery is an absolute requirement.”
Meanwhile, some Western Digital customers took to social media and the official community support forum to complain about service outages resulting from the security breach.
The security incident is the second the company has recorded in less than two years. In June 2021, hackers exploited a suspected unpatched vulnerability to wipe Western Digital’s customers’ My Book Live NAS storage devices via factory resets.
“This is the latest reminder of what happens when attackers successfully gain unauthorized access to a victims’ network,” said Joseph Carson, chief security scientist and Advisory CISO at Delinea. “When that company is a cloud storage company who serves thousands of customers, the impact of this security incident escalates significantly with many consumers and businesses unable to access critical data remotely and receive a 503 Service Temporarily Unavailable notice.”