Image: © OlekAdobe/Stock.adobe.com
Samsung said the stolen data includes customer names, phone numbers and emails and could impact those who made purchases between July 2019 and June 2020.
Samsung has warned that UK customers may have had their personal data stolen from a third-party data breach.
In an email to customers shared on X, Samsung said it recently discovered that an “unauthorised individual” exploited a vulnerability in a third-party business application to access the personal data from customer purchases.
Samsung said the breach could impact customers who made purchases on the company’s UK e-commerce site between July 2019 and the end of June 2020. The stolen data includes customer names, phone numbers and email addresses, but Samsung claims no passwords or financial information was accessed.
A company spokesperson told BleepingComputer that the data breach is limited to the UK region and does not include any data belonging to US customers. Samsung has not shared details about the vulnerability or how it was exploited.
Muhammad Yahya Patel, lead security engineer at Check Point Software, said organisations need to actively monitor third-party access on their networks to spot security gaps and said the supply chain is “notoriously difficult to fully secure”.
“It also serves as yet another reminder for consumers to keep their own security in check,” Yahya Patel said. “It is possible that hackers may leverage the stolen information to launch phishing attacks in the future using the Samsung brand as a lure.
“At this time of year, with the shopping season about the start, it is important that people scrutinise any emails they receive and adopt caution about ‘too good to be true’ promotions or offers.”
Phishing remains a key tool in the arsenal of cyberattackers, as they use basic data such as phone numbers and emails to attempt to trick people into sharing more sensitive data. Attackers also employ phishing tactics to try to gain access to sensitive data in businesses.
In July, a report by NordLayer claimed fake job offers and phishing attempts are the top forms of fraud used against businesses on LinkedIn. Last month, Microsoft issued a warning about Octo Tempest, a criminal group that uses advanced phishing tactics, according to the company.
Samsung faced another data breach last year, when hackers stole internal company data and source code for Galaxy devices. The attack was claimed by Lapsus$, the same cyberattackers that targeted Nvidia the previous week.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
