Dell discloses breach affecting customer purchase database – Business

A hacker has breached a database that Dell Technologies Inc. uses to store information about customer purchases.

BleepingComputer and TechCrunch reported the cyberattack today, citing a notification that the hardware giant sent to affect customers on Wednesday. The alert was preceded by an April 28 post on a hacker forum that solicited bids for a dataset purportedly stolen from Dell. The post has since been deleted, which could reportedly be a sign that the hacker found a buyer.

The threat actor behind the cyberattack claims to have stolen data about 49 million customers and purchases. Several million affected customers are said to be individuals, while others include enterprises, schools, Dell partners and other organizations.

In its notification this week, the hardware maker detailed that “we are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.”

It’s believed that the hacker accessed affected customers’ names and addresses, as well as information about the orders they placed with Dell. The compromised order information includes descriptions of purchased products, data about the associated warranties and certain related details. Dell stressed that the breach didn’t affect customers’ payment details, email addresses, phone numbers or “any other highly sensitive customer information.”

The relatively narrow scope of the breach will likely limit its impact on customers’ cybersecurity. On their own, names and addresses are typically not enough for a large-scale account takeover campaign. Hackers also require other information such as passwords.  

But the dataset stolen from Dell still has the potential to pose a cybersecurity risk. According to BleepingComputer, researchers have discovered multiple hacking campaigns in which cybercriminals targeted victims by mailing them malware-laden USB drives. Stealing addresses can potentially make it easier for hackers to launch such campaigns.

The Dell breach comes two months after Hewlett Packard Enterprise Co., one of the company’s top rivals in the data center hardware market, also disclosed a cyberattack. 

That incident first came to light when a hacker claimed to have stolen internal system logs, access tokens and other technical data from HPE. In an early February update, the company stated that the files in question were pilfered from a test environment. An HPE investigation found “no indication” that the hacker gained access to customer information or data associated with its production infrastructure.

Photo: Wikipedia