Victims of a major data breach shouldn’t panic, technology giant Dell has promised as it goes into damage control after a cyber criminal abused an insecure partner portal to scrape customer names, addresses, and equipment details from 49 million sales in Australia and around the world.
Recent emails from Dell Technologies advised affected customers that data compromised during the breach – which came to light after the computer giant last week began sending notification emails to affected customers – included names, physical addresses, and details of their orders of a broad range of Dell products including service tags, item descriptions, order dates, and other information related to their warranties.
Because it did not include “highly sensitive information” such as customers’ phone numbers, email addresses, or financial or payment information, Dell said it believes the breach “is not a significant risk to our customers given the type of information involved.”
Yet with around 49 million customers compromised – including every person who purchased a Dell product between 2017 and 2024, according to the initial report on DailyDarkWeb – the breach will still be invaluable for cybercriminals that cross-match it with other information to add more detail to profiles on data breach victims.
Even seemingly innocuous details about what devices customers bought from Dell could be abused for malicious purposes: knowing what model of computer a person has, for example, would give a malicious actor an inventory of the software installed on that computer.
This would, in turn, provide a laundry list of potential vulnerabilities that could be abused to breach the victim’s system – including the more than 1,000 vulnerabilities in Dell software that have already been documented in public threat intelligence databases.
That would be gold for scammers running technical support or remote access scams, in which criminals contact customers and trick them into providing access to their computers, bank accounts, and private information – a tactic that took over $15.5 million from 8,975 reported Australian scam victims last year alone.
Knowing that the victims would have already been contacted by Dell about the breach, scammers could expect a warm reception when posing as a Dell customer support victim to approach victims with offers of assistance – a point that Dell’s email conceded in advising customers to be on the lookout for tech support phone scams.
Tech giant caught unawares
Even as Dell downplayed the severity of the incident, revelations from the person responsible showed that the company – which, ironically, last month updated a range of cyber security products to boost customer security and resiliency – had been caught flat-footed by a series of design and process errors in its partner portal.
A hacker known as ‘Menelik’, who posted the customer database for sale and provided more details to cyber security news site BleepingComputer.com, said the data was stolen by abusing an API that Dell had created to allow partners, resellers, and retailers to look up information about customer orders.
Menelik created a number of fake company names and applied for access to the portal, which was granted without question or verification within two days.
Having been given access to Dell’s customer database, Menelik created a script to generate 7-digit service tags at random, then used them to scrape the details that the portal provided.
Because the Dell system made no checks and did not throttle access, the scripts were able to run nonstop, generating 5,000 database requests per minute for three weeks.
Such brute-force attack methods were seen in 21 per cent of all data breaches analysed in Verizon’s latest Data Breach Investigations Report (DBIR), which noted that this kind of basic web application attack “has fewer steps…. Like many things that are not overly complicated, it works extremely well.”
The stolen data ultimately included details on the purchase of products including 22.4 million Dell monitors, 11.3 million Inspiron laptops, 5.2 million Optiplex servers, 4.1 million Latitude laptops, 1 million XPS notebooks, and 400,000 XPS/Alienware desktops favoured by gamers.
Dell’s security team didn’t even detect the breach until Menelik wrote the company’s security team on 12 April to advise the company – which assured customers that it “takes the privacy and confidentiality of your information seriously” – about of the design flaws that had allowed them to scrape data unchallenged for three weeks.
Dell revenues reached a record $155 billion ($US102.3 billion) during fiscal 2023, settling during fiscal 2024 to $133.6 billion ($US88.4 billion).
