I got their notice email, apparently I bought a laptop charger from them years ago, and after all this time they were still keeping my name, email and physical address, which now leaked. So that's how.
Hello,
Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.
What data was accessed?
At this time, our investigation indicates limited types of customer information was accessed, including:
Name
Physical address
Dell hardware and order information, including service tag, item description, date of order and related warranty information
I think it's more likely that an attacker would make a fake collections call if you bought something really expensive, especially if they can prove you bought on credit or something. A little ChatGPT and you'd have a targeted script to use.
The leak didn't include phone numbers or emails but I'm sure there will be attempts at spear phishing businesses since they can figure out the business name from the physical address.
Hello,
Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.Sending you this single message satisfies our legal disclosure requirement. Beyond that, we have no actual intention of fixing this, providing you with a meaningful compensation for the breech or really doing anything different at all truthfully. Fuck you.
I know you're being flippant, but it's worth noting that there is a considerable difference between a company getting hacked like this and an app with unfettered access to the cluster to sensors that we've got in our pockets.
The thing with tik tok isn't only with the data China can gather from US residents. It's also how they can use that information to influence the populace and send them propaganda, for example influencing the election results.
The section Methods on the Cambridge Analytica wiki page explains it pretty well. While it's not proven to be able to directly influence voting, it's effective at swaying people's opinions and emotions about subjects.
So imagine you go to tiktok.com and you click on a link to bestbuy.com/cool-product-i-want-to-buy. But instead of taking you directly to bestbuy.com/cool-product-i-want-to-buy, it keeps you on tiktok.com and just opens an iframe with a keylogger injected into it.
So then when you enter credit card info into the bestbuy.com UI, the tiktok.com JS can see what you typed.
(This scenario is largely impossible these days, due to modern browser security.)
The difference is that if you witnessed this kind of XFS in your desktop browser, you might notice it because the location bar still says tiktok.com, because you never actually left the site. But in a mobile in-app browser, you don't need an iframe. You can inject JS directly into the browser itself, making it invisible to the user. As far as you can tell, you're on regular ol' bestbuy.com, not a modified version of it.
I'm not a security expert, but my tech career has involved a lot of automated testing in weird scenarios, including iframe-based Facebook games and browser-based mobile apps. Automated tests face a lot of the same challenges that a malicious third-party would, so I know a little bit about how to get past them -- or rather, how to deliberately create vulnerabilities (in the dev build of your system) so that your tests can get past them.
Edit: I am curious why someone downvoted me on that one though. I can understand how my comment about the ban being dumb but TikTok also shipping a keylogger could anger people on one side or the other. But just explaining how in-app browsers revive a security problem that's been long-solved in standalone browsers?
Even then, why do they need to store my personal information? After delivery, my info should be wiped besides the date of purchase for said serial number.
These companies should be forced to pay big money to each and every person affected by these breaches. Not like $120. Like $10,000 per. Teach them real lessons
The breach here is pretty minor, in my book. Name, address, specifics of computer purchased. The name and address is pretty much available and linked already. The computer isn't, but doesn't seem that abusable. Maybe it could help someone locate more-expensive, newer computers for theft, but I don't see a whole lot of potential room for abuse.
afaict only if a specific hardware vulnerability was found and they cross-linked it with an online account or other network info to try and exploit it.
Or, I guess you could just assume Windows and go with one of the many zero-days that happen there. The trick is still crosslinking them tho. Presumably google has the wifi info.
It's only minor if the data points in this breach are used by themselves.
Once you aggregate this with other data breaches, you could end up with a much bigger capability to target anyone in this breach.
I do see potential room for abuse.
Let say someone has the list and contact the members of the list saying that they are from Dell and it is about the computer they purchased. They have all details, spec, address, etc so it believable.
Then they tell them to buy some “antivirus” or install some “hot fix” etc. Scammers are already doing this, but it is less convincing.
Exactly, a lot data exfil'd is used to enrich other sources. All data loss should be treated as a catastrophic failure of security controls. Corporate victims should pay for their customers potential loss of identity and privacy as a preemptive action, even if the data in of itself may be considered low risk.
If compliance with this is difficult then executives should be forced under law to post all of their personal info into Wikipedia with audio samples of their voice, full genome mapping and mugshots.
Fuck these companies and their profits over people attitude.
Instantly makes ransomware [edit 2: my brain was being dumb, I didn't mean literally ransomware, I meant hackers blackmailing companies with the threat of releasing/selling stolen data] far more profitable.
Edit: And heavily discourages self-reporting. There’s a Schneier quote I like: “You can't defend. You can't prevent. The only thing you can do is detect and respond.”
Absolutely. But the penalty does modify the cost-benefit analysis. If a hacker demands $5m or else they will release stolen data, you might be more inclined to YOLO the 5 mil on the 1% chance they're an honest hacker if the penalty for the breach is $50bn.
Even $120 would be amazing. I just got an email that said too bad. I just bought a monitor cause that’s where they sold it. Idk why they have to save my info. I just want to pay for the product. If it was up to me, they would delete all my info immediately. They only need to record when the serial number was sold anyway.
I agree. Even at $120 each. 120 times tens of millions is serious fucking cash.
We need to have a couple of big companies go bankrupt over this shit. Then maybe they will start taking it seriously. Perhaps at that point maintaining personal data on people will be seen as a liability rather than an asset. And that's what we really need.
Disagree. Breaking the corporate veil would have a whole lot of unintended consequences and would basically kill investment as a concept. I agree we need to do more about corporations that violate the law with impunity and get wrist slaps. I don't think that's it.
Because it would greatly increase the cost and risk of investment. Think not just for billionaires, but for anybody.
Imagine somebody buys a couple tens of thousands of dollars of a stock as part of their retirement, that company does something bad, and now not only do they lose their investment but they lose the rest of their retirement also.
I am all for wiping out shareholders, especially big ones, when a company does something super stupid. There should be an incentive for shareholders to hold companies they invest in accountable.
But suggesting that company owners become personally liable for the actions of those companies, especially when those equity owners have little or no control over the decisions of the company, that is a recipe for disaster.
Isn't that the whole point of insurance? They assess the risk of that liability and average it out over time so you just pay a little bit of your return.
Oh I'm sure there would be insurance for that, but it would be expensive. It would dramatically reduce the amount of overall investment in the nation. That is a very bad thing, it would slow down the rate of our economy and innovation.
Don't get me wrong, the current setup where companies treat your data like an asset and then lose it and nothing happens is broken. There need to be stiff penalties for it. Corporate death penalty even, especially with an ending of all too big to fail. I'm talking penalties scary to the point that whatever profit could be made from your personal information isn't worth the risk of having it, companies are scared to collect info.
This would especially be true if there is negligence involved, like when companies put their databases on open S3 buckets. Companies should be scared shitless of that.
But destroying our system of investment is not the answer.
The cost of that insurance doesn't just disappear - today it's paid by ordinary folks left holding the bill. A company that can't afford to pay for its expected damages is doing more harm than help to the economy.
This isn't just an answer to leaked databases. Companies can deliver profits when things go well, and then disappear after they ruin thousands of people's lives.
If a company ruins people's lives, I'm okay with them disappearing and all their investors losing their shirts.
I agree that a company that can't afford to pay for the damage it is causing is doing more harm than help and should go away.
What I think we can both absolutely agree on, is that the current system where companies forcibly collect all kinds of information on people, don't take security seriously, get breached, and the only punishment that happens is a few million dollars fine they can just write a check for and everyone affected gets a year of credit monitoring, is a broken system.
In many of these breaches, they happen because the data was stored so poorly one could make a serious argument for gross negligence.
When a company does this and the punishment is a wrist slap, I have a problem with that. It becomes a cost of doing business, not something company management is actually afraid of.
Also, as somebody who actually works in IT, I can tell you cyber insurance is a thing. For small businesses it covers this sort of breach. When you sign up for it they send you a whole questionnaire that asks about your security practices. It's all boilerplate bullshit. Real cybersecurity involves an insane amount of complexity and required understanding at every level, and the insurance questionnaire is like do you use multi-factor authentication for your email y/n?. If you check no you get a higher insurance premium.
Perhaps a solution would be a mandatory payment of $250 per person made directly to that person if their information is breached. And if the company fails to report it within 60 days, it triples. If the company intentionally conceals it, it quadruples. And should the company go bankrupt and liquidate, these payments to users will be considered the primary creditor and take priority over all others.
So no more of this '$10 discount on your next purchase and a year of credit monitoring' class action settlements, put some real fucking teeth in a law. People would get some real compensation. And personal information would no longer be seen as a $20/person asset but rather as a potentially destroy the company liability.
Yup. We need more of the corporate death penalty. And when corporations are so big that 'killing' them would harm the economy, I argue we're back to too big to fail. Maybe the answer is giant fines, and if the company can't pay, wipe out the largest shareholders and then resell the stock over time.
Make people's personal information a giant hot potato that nobody wants to be holding.
In the case of this breach, I'd be happy with a $10 payout, the consequences for me are actually pretty low here. That being said, I think we'd be lucky if Dell had to pay more than $0.50 per person, and that money will probably go to a lawyer's fees, not me.
