Dell did not respond to warning about theft of customer data
While an attacker was tapping into customer data via a Dell API, he sent emails to the company. The company only responded when the data was published.
Data theft at Dell went on for three weeks.
(Image: Photon photo/Shutterstock.com)
A person with the pseudonym "Menelik" has spoken out via various US media about the recent data theft at Dell. Menelik claims to have leaked around 49 million of the company's data records, excerpts of which were recently published on the dark net and offered for sale in their entirety.
As the attacker apparently independently told TechChrunch and Bleeping Computer, the partial disclosure of the information came after Dell failed to respond to several of his emails. TechCrunch claims to have seen screenshots of the emails, and a Dell spokesperson confirmed that they had been received. In total, the attack took place over a period of three weeks, during which Menelik contacted Dell several times.
Automated data theft via API
He had discovered a gap in an unspecified online portal for Dell sales partners. This enabled him to automatically retrieve customer data at over 5,000 requests per minute, without any technical limitation. He had previously created several partner accounts, which Dell had apparently not checked thoroughly. As Menelik told Bleeping Computer, he was able to specify fictitious companies and after one or two days the account was activated.
Menelik also provided Bleeping Computer with a list of the devices purchased by the customers he had inspected. These included around 22 million monitors, 11 million Inspiron notebooks, 4 million Latitude notebooks, 5 million Optiplex PCs and around 800,000 Poweredge servers and Precision workstations. This indicates that there were also a number of larger companies among the customers that Dell had not adequately protected.
In addition to the disclosure of such quantities, the disclosure of real personal data is a particular problem of such gaps. In its initial response, Dell rightly warned against attempts at identity theft. In addition to 11 million company data records, the stolen information also includes the names and postal addresses of seven million individuals. It is not yet known which countries are affected.
(nie)
