Dell has begun sending breach notification emails to some 49 million people whose data was apparently stolen in a recent cyberattack.
The type of information involved includes people’s names, postal addresses, and Dell hardware and order information, such as service tags, item description, order dates, and different warranty information.
“We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell,” the company said in the notification letter. “We believe there is not a significant risk to our customers given the type of information involved.”
Tangible risk
Dell has notified relevant authorities and brought in third-party cybersecurity experts to assess the damage. So far we don’t know if this was a simple data smash-and-grab, or a ransomware attempt.
The company believes the risk to its customers is not significant since financial and payment information, email addresses, and phone numbers were not stolen in this attack.
However, the risk of phishing or even major malware and ransomware attacks still exists, since threat actors can send out personalized letters with removable drives and deploy malicious code that way. It has happened in the past.
At the same time, there is always a risk someone most likely already bought the database on the dark web.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
A cybercriminal with the alias Menelik posted a new thread on a dark web forum, advertising a Dell database fitting the company’s description: “49 million customer and other information systems purchased from Dell between 2017-2024.” The thread was quickly deleted, which usually happens if someone buys the database.
Since the information was most likely already acquired, if you are a Dell customer who purchased hardware between 2017 and 2024, it would be wise to be extra wary of any communication claiming to be from the company, especially if you get it in the mailbox.
The U.S. Patent and Trademark Office (USPTO) kept an open, internet-accessible database of private postal addresses belonging to patent filers for more than eight months.
The U.S. government agency, responsible for handling patents and trademarks, sent a notification letter to affected individuals, explaining what had happened, and what it did following the discovery.
As reported by TechCrunch, which saw a copy of the letter, the USPTO was transitioning from an old IT system to a new one, and during the migration it “inadvertently exposed” a database containing sensitive filer data.
Unprotected databases
The addresses are a mandatory requirement in order to prevent fraud, it was said. One could not have found them simply by searching for the addresses on the website, but if one were to open a dataset the USPTO publishes to help researchers, they would have found them in bulk. Roughly 14,000 addresses were exposed this way.
The USPTO was apparently the first one to spot its own mistake, after which it “blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access,” it said in the letter. The dataset was exposed between mid-August 2023, and mid-April 2024. USPTO believes no threat actors found or stole the data.
Unprotected and misconfigured databases are one of the most common causes of data spills and leaks these days. Different companies, from both private and public sectors, are often found exposing sensitive customer and citizen data this way. In one notable example, the Brazilian government recently managed to inadvertently expose sensitive data on its entire population – more than 220 million people.
It’s official: Disney Plus’ password crackdown will begin in June – but you might not be affected by the initial rollout.
Speaking on CNBC, Disney CEO Bob Iger confirmed that Disney Plus subscribers won’t be able to share their account with anyone who lives in a separate household from mid-2024 onwards. This is a slight change on the last information we received regarding Disney Plus‘ password crackdown, with Disney previously suggesting (on February 7) that its anti-password sharing rules would take effect in early 2024.
However, like Netflix, which introduced its own account sharing crackdown in May 2023 – read our Netflix password sharing hub for more details – Disney won’t roll out its plan worldwide in June. Indeed, Iger revealed that it would be introduced in select nations in less than two months (at the time of writing) before it expands globally in late 2024.
“Password sharing is [on the way],” he said. “In June, we’ll be launching our first real foray into password sharing in just a few markets, but then it will grow significantly with a full rollout in September.”
It’s unclear which countries will be hit first by Disney Plus’ password clampdown. If history is any indication, I’d expect Canada, Spain, and some Latin American nations – the first places that Netflix’s account sharing crackdown was introduced in early 2023 – to be similarly hit by Disney with its initial password crackdown rollout. For more details when we have them, keep an eye on our Disney Plus password sharing hub.
Disney Plus’ account sharing crackdown explained
You should really watch the hugely popular Shogun series before Disney Plus’ password crackdown begins. (Image credit: FX Networks)
So, why is Disney Plus joining Netflix on the password sharing ban train? In short, it’s all to do with the company’s finances. It’s common knowledge that Disney has been hemorrhaging money recently – indeed, as revealed in investor calls and quarterly earnings reports over the last few years, Disney has *ahem* felt the cost of wading into the rapidly expanding streaming sector.
It’s a major reason why Iger, who retired in December 2021, returned to steady the ship less than a year after he was succeeded by Bob Chapek. As Iger noted in his most recent CNBC interview: “The losses were $4 billion a year – clearly, that was not sustainable or acceptable”. Since his return, Disney has turned its financial fortunes around, posting a much smaller loss of £137 million in the three-month period between November 2023 and February 2024. Iger suggests Disney will be profitable once more by the year’s end, too.
Get the hottest deals available in your inbox plus news, reviews, opinion, analysis and more from the TechRadar team.
What does all of this have to do with Disney Plus’ password crackdown? As Netflix has already shown, preventing people from sharing their accounts between households drives subscriber growth. As of January 2024, Netflix’s has 260.28 million users – over 22 million more than it had six months earlier. That uptick in new users is down to its account sharing ban, whose rollout initially led to a downturn in users. Indeed, Netflix’s password crackdown got off to a terrible start as fans cancelled their subscriptions to try and show that the world’s best streaming service was wrong to roll out such a plan.
The Bear is another terrific show you’ll want to stream on Disney Plus and Hulu before the account sharing ban starts. (Image credit: Hulu)
With one of its biggest entertainment rivals benefitting from its own account sharing clampdown scheme, it was inevitable that Disney would introduce its own plan for its two streaming platforms. That’s right, Disney Plus isn’t the only Disney-owned service that’ll stop users from sharing accounts between households – Hulu is also set to join Netflix and Disney Plus in cracking down on password sharing.
If you’ve been waiting to stream some of the best Disney Plus shows and best Disney Plus movies, my advice would be to start working your way through your back catalog right away. June’s really not that far away and, even if you’re given a stay of execution and don’t get hit by the crackdown until September, we’re already a quarter of the way through 2024, so September will be here before you know it. Stream those Marvel and Star Wars projects you’ve been putting off ASAP, then.
Four out of five organizations around the world (85%) suffered at least one data loss incident last year.
This is according to a new report from cybersecurity researchers Proofpoint, which says that most of the time, it’s not the computers’ fault – it’s ours.
Earlier this week, Proofpoint published its inaugural Data Loss Landscape report. This paper, which explores how current approaches to data loss prevention (DLP) are holding up against macro challenges, is based on a survey of 600 security professionals working in large enterprises, as well as data from the company’s Information Protection Platform, and Tessian.
The human factor is again to blame
According to the report, data loss is usually the result of poor interactions between humans and machines. “Careless users” are much more likely to cause data incidents, than compromised or otherwise misconfigured systems.
Proofpoint further claims that many organizations are happy to invest in DLP solutions, but these investments are “often inadequate”. Of all the organizations that suffered a data loss incident, almost nine in ten (86%) faced negative outcomes, such as business disruptions, or revenue losses (reported by more than half – 57% – of affected firms).
“Careless, compromised, and malicious users are and will continue to be responsible for the vast majority of incidents, all while GenAI tools are absorbing common tasks—and gaining access to confidential data in the process,” commented Ryan Kalember, chief strategy officer, Proofpoint. “Organizations need to rethink their DLP strategies to address the underlying cause of data-loss—people’s actions—so they can detect, investigate, and respond to threats across all channels their employees are using including cloud, endpoint, email, and web.”
Misconfigured databases – incidents in which employees, for example, forget to set up a password for a major database, are one of the most common causes of data leaks.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Over the years, we’ve witnessed millions of people lose their sensitive information that way. For example, early this year, Cybernews found an unprotected database holding sensitive information on the entire population of Brazil. Another example is a BMW security error that resulted in the leak of sensitive information belonging to its customers.
