No organization wants to suffer a data breach in which highly sensitive or personal data is compromised. But what about a data scraping incident that involves less sensitive information? How concerned should the company — and the people whose data was compromised — be?
Consider the data breach notification that Dell recently sent to many of its customers. The letter revealed that “limited types of customer information” was scraped from a customer database on a Dell portal. The compromised data included customers’ names and physical addresses, along with order information such as transaction dates, product serial numbers and warranty details. The notification emphasized that no payment, financial or “highly sensitive customer” information was obtained in the incident, and Dell asserted, “We believe there is not a significant risk to our customers given the type of information involved.”
Let’s take a closer look at this incident and explore whether it is truly insignificant for the customers whose information was compromised, and for Dell as well.
Resident CISO (EMEA) and VP of Security Research at Netwrix.
The database was advertised on a cybercrime forum
The Dell breach came to light when a threat actor known as Menelik posted on a cybercrime forum on April 28. Menelik claimed to have scraped the data of 49 million customer records from a Dell portal that contained customer ordering information pertaining to Dell purchases made between 2017 and 2024.
In the post, Menelik invited interested parties to contact them, implying an intent to sell or distribute the stolen data. The post has since been removed from the forum — which suggests that the database has indeed been acquired by another entity, who may well attempt to monetize the content.
All information is exploitable
The Dell breach notification implies that because the scraped data did not include financial details, login credentials, email addresses or phone contact information, any damage from its compromise will be minimal. Consider this though: Malicious actors who have demonstrated their ability to steal data from some of the largest corporate networks in the world may very well possess the ingenuity to exploit even a minimal information set.
In fact, enterprising cybercriminals have proven adept at leveraging seemingly innocuous data to orchestrate more extensive attacks or combine it with other compromised information for nefarious purposes. They actively trade and share large data dumps containing millions of stolen user records from major data breaches on dark web forums and underground marketplaces. They take data from different breaches and leaks, and then cross-reference or combine the information to build more comprehensive profiles of individuals. For example, they can match names or email addresses across different breach sets to aggregate and correlate associated passwords, personal details, and more.
Today, armed with AI, they can accomplish these goals faster than ever.
The possibilities are endless
Indeed, while the compromised Dell information may seem innocent enough, there are endless ways for the threat actors to monetize it. For example, they could easily craft what looks like an official Dell product notice and send it to customers. It could include a QR code that the customers can conveniently use to confirm their data or take advantage of a special offer to extend their warranty — only to have the QR code direct them to a malicious site that installs malware on their device.
Another option is to cross-reference the personal names in the Dell database with other collections of breached data, such as stolen login credentials. The resulting information could be used to launch a massive credential stuffing attack on Dell, which might enable the adversaries to exfiltrate financial records or other highly sensitive information.
The well-known site Have I Been Pwnd provides a straightforward way for even novice users to determine if their personal data, such as email addresses, usernames and passwords, has been compromised in documented data breaches. Now, imagine this process being conducted at a massive scale by skilled hackers, leveraging sophisticated techniques and vast repositories of stolen data.
Reputational damage and legal penalties
While data-scraping incidents are not as overt as forceful breaches, the consequences for the victim organization can still be severe. One consideration is mandates like GDPR, HIPAA and PCI-DSS. From a compliance standpoint, the manner in which data is compromised is irrelevant. If the organization, as the custodian of the data, fails in its responsibility to secure it adequately, and if regulated data is exposed, this organization could be subject to fines and other penalties.
Even if no compliance violations are uncovered, an organization that suffers a data scraping incident can still incur significant damage to its reputation. Erosion of trust among current and potential clients can lead to customer churn, reduced revenue and other serious financial consequences.
Conclusion
Regardless of how a data compromise unfolds, data theft is data theft, and the damage is real. With the current cyberthreat landscape, cyberattacks are not a matter of if, but when. Accordingly, organizations need to have a resilient cybersecurity architecture and a robust incident response plan in place. Being able to mitigate the likelihood and impact of a breach and ensure fast recovery will pay major dividends down the road.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro