Samsung UK discloses year-long breach, leaked customer data

Updated The UK division of Samsung Electronics has allegedly alerted customers of a year-long data security breach – the third such incident the South Korean giant has experienced around the world in the past two years.

An email to customers, shared on social media by web security consultant and Have I Been Pwned creator Troy Hunt, detailed that the breach exposing data of customers who made purchases between July 1, 2019 and June 30, 2020 was discovered on November 13.

Samsung Electronics UK said an unauthorized individual exploited a vulnerability in a third-party business application used by the firm. Exposed information included names, phone numbers, plus physical and email addresses.

• Lapsus$ extortionists dump Samsung data online, chaebol confirms security breach
• NATO investigates after criminals claim to be selling its stolen missile plans
• Samsung sued for gobbling up too much personal info that miscreants then stole
• Gauss we've all got a fresh option for a gen AI handheld: A Samsung device

Samsung previously acknowledged a nearly 200GB breach by extortion gang Lapsus in March 2022 that included internal information such as Galaxy smartphone source code.

Only a few months passed before Samsung's US outpost reported another breach: a late July intrusion that targeted customer data. Samsung revealed that customers potentially had names, contact and demographic information, birth date and product registration information stolen, but not social security numbers.

After the July 2022 hack, Samsung gave assurances that it had taken action to secure affected systems and that it was working with authorities.

Despite such promises, the combination of the two cyber intrusions earned the chaebol a class action lawsuit in September 2022. The suit alleged Samsung unnecessarily collects personally identifiable information from its customers and subsequently fails to protect it.

The lawsuit asserts that customers were forced into handing over their data or else functions and features on TVs and printers would be disabled.

Samsung "was aware that the fraudsters and criminals who had access to the stolen source codes and authentication-related information (among other confidential data) could penetrate defendant's weak systems," argued the suit.

Updated to add at 1137 UTC

Samsung has been in touch to say: "We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained.

"No financial data, such as bank or credit card details, or customer passwords, were impacted.

"We have taken all necessary steps to resolve this security issue, including reporting the incident to the Information Commissioner's Office and contacting affected customers."