Dell customers who wondered why they had to reset their passwords earlier this month learned today that action was taken due to a data breach, a fact it took the company several weeks to disclose.
The computer maker reported today that it detected and disrupted unauthorized activity on Dell.com on Nov. 9, during time which a malicious actor attempted to extract customer information. In a statement, Dell said it has no conclusive evidence that any data was exfiltrated, but there is a possibility the malicious actor was able to obtain names, email addresses and hashed passwords for Dell online store customers.
“Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services,” Dell said in a statement.
The attack was thwarted by countermeasures Dell activated once the illicit activity was noticed, the company said.
Dell's action of resetting passwords without informing the potential victims of the reason why was met with anger by several industry executives.
"This incomprehensible action of mass password reset may damage Dell's reputation of a vendor who cares about information security and privacy. Preventive password reset can certainly be helpful; however, it should be properly accompanied with assuring explanations and transparent next steps," said Ilia Kolochenko, CEO of High-Tech Bridge. However, in this case, "potential victims of the alleged breach are abandoned in the darkness and ambiguity.”
The poor, but common cybersecurity practice where people reuse the same login information over several sites is another reason why the breach notification should have gone out immediately, Kolochenko said. By not doing so, any other site with the same credentials was placed at risk.
George Wrenn, CEO and founder of CyberSaint Security, called out Dell for seemingly downplaying the value of the data that was endangered.
“Setting an example, it is important for the company to not downplay the effects of a breach concerning personal information -- especially the exposed emails and hashed passwords which can open many doors for cybercriminals,” he said.
Cybercriminals often buy or steal credentials to access other sites where more valuable data might be stored, knowing that customers likely reused these same passwords across multiple accounts. For instance, Dunkin’ Donuts explained in a Nov. 29 statement that this was how some of its customer reward accounts were illegally accessed recently.
Sam Currie, Cybereason’s chief security officer, pointed out that Dell’s message implies two things. First, the intrusion was stopped before it reached any critical customer data and second, that the company is still in the midst of cleaning out its system.
“In general, hackers are rarely just after name, email and [hashed] passwords. They may have wound up with that as a consolation prize, but generally speaking it's cybercriminals who hunt those sorts of things, not nation-states, and it implies they didn’t go deep,” Curry said.