Like many of you, I woke up today to a dreadful email from Samsung telling its “valued customers” that it had “discovered a cybersecurity incident” that affected our personal information.
It’s another data breach.
Below is the screenshot of the message I got. My sympathy to anyone who also found it in their inbox.
Dong’s note: This post has been updated to include, among other things, Samsung’s response.
“Security is a top priority” and then something happened
As you might have noted, Samsung started the unexpected letter with “At Samsung, security is a top priority” and then go on to tell us that basically everything is fine going forward as long as we get the annual “free credit report”.
While that might seem formulaic and insincere, I’ll take what the company says at face value and believe Samsung really cares about its customers’ security and privacy. It has all the reasons to do so.
Still, digging a bit, you’ll note that the way Samsung described the incident was vague.
Supposedly in “late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems.” So who was this party and how did they acquire the information?
After that, it took the company until August 4 to find out that the personal information of certain customers was affected. And then almost a month later, on September 2, it informed the affected parties.
These time gaps seem mysterious. What happened during these windows?
Update: I reached out to Samsung with those questions and concerns and here’s what I got from the company after a couple of hours:
We have taken the time to thoroughly understand your inquiry and would like to share the following information.
The protection of our customers’ data is extremely important to Samsung. We were recently made aware of a security incident relating to internal code within the company. According to our initial analysis, this does not include the personal information of our customers. We are continuing to strengthen our security system and have implemented measures to prevent further such incidents. We do not anticipate any impact to our customers.
We regret any inconvenience you may have experienced and appreciate your continued trust in the Samsung brand.
Mind you, none of my questions were addressed.
With this type of canned messages and responses, one has to wonder if there were other incidents the company chose to not disclose. After all, this is the second known data breach of Samsung this year.
Indeed, in March, the company was hacked and allegedly failed to protect its Galaxy smartphones’ source code. Samsung made the incident public only after the hacker taunted some 190GB of stolen data online.
Can you trust Samsung?
Samsung is an electronic giant with the resources to have the best cyber security. And I have no doubt it wants and intends to keep its data safe.
Yet this kind of data breach has happened too often.
This time around, regarding how to prevent similar types of incidents in the future, Samsung offers this public canned and not-so-reassuring message:
“We are committed to protecting the security and privacy of our customers. We have engaged leading cybersecurity experts and are coordinating with law enforcement. We will continue to work diligently to develop and implement immediate and longer-term next steps to further enhance the security across our systems.”
So, in the end, it’s not about if you can trust Samsung but whether Samsung or any company its size can keep itself safe in cyberspace.
And if they can’t—as evidently so in the case of Samsung so far—we, the consumers, are in big trouble until these companies drop the practice of forcing unnecessary “login,” “registration,” or “cloud management”—the common scheme that turns customers into products to further enrich themselves without accountability.
The takeaway
As users, we must consider the risks before getting our device fully or partially connected to Samsung or any vendor. Or if we actually buy this or that brand of hardware at all.
Online privacy and security tips
To keep online privacy and security risks low, fragment the exposure by using different services or products for different needs.
The more deeply you get into an “ecosystem”—those of Amazon, Apple, Google, or Facebook—the more likely and the higher level of your privacy is compromised, no matter how you feel or what you believe in.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here’s the most important thing: If you want to keep something completely private, don’t put it on the Internet!
Online privacy and security are a matter of degree. The most important and the best you can do is be aware of the danger and minimize the exposure when possible. If you trust the vendors, or any third party, to do the right things, you’d likely end up in a situation where no credit report can help. Far from it.
Got the same e-mail too. Checking my credit right now.
Sorry to hear that, P. You should check your credit once a year for a couple of years. If your information is misused by the bad guys, it’ll be a while before your credit reflects that.
Well well well. That is not well at all. I and my family are heavily invested into Samsung. All my 5 TV’s, washer, dryer, refrigerator, stove, microwave, vaccum, laptop, tablet, and 3 family S22 Ultras are Samsung. We lived in Korea for 3 years and Samsung has almost become family. I am Should I return them all? Hahahaha.
I am scrambling to make sure my wife doesnt see her email from Samsung. Unfortunately I login to all of them for the convenience and to keep track of things like warranties or updates.
Like you always say convenience is the yellow brick road to destruction. Hahaha something like that. We shall see where this all goes. I never thought of having a credit monitoring service but this may change things for everyone with an online presence.
Mahalo Dong, lets all commiserate together.
Taz
I really hate the noise my Samsung stove makes, the whining tunes. 🙂
As someone that recently had their identity stolen, I can sympathize. Another “me” was able to get a loan for about 6 grand – had all my information.
{spam removed}
Thanks for sharing your experience, David. Please note that the site does not tolerate spamming, intentional or not, as stated by the rules above.
I mentioned a product and said there are also others – not advocating for any brand. Your site, if you want to think that’s spamming, not like I can argue although I certainly disagree.
What you did violates rule #1, David. Please keep that in mind. Thanks.
Like I said, your site. I want my rules, guess I’ll have to have my own site, huh? No worries.
That’s correct, David. I want to keep the site 100% no-nonsense. You can disagree with that but all you can do here is be respectful. Thanks.
DN,
Honestly its not a matter of “if” it’s a matter of when. There are tons of best practices which we as consumers don’t follow. 2FA is our best friend at the end of the day. Limit your damage potential and preach to your family and friends not to download free apps unless truly needed and has a good track record.
Vr
John In Da Rok
You’re right, John, but I don’t think 2FA helps in this type of data breach. If the bad guy gets a hold of the entire database and the key to read it, there’s no security on the users’ part that can help.
I have a special birth date I use online when required when registering at sites so that they never have my real one. I figure this is the least thing folks should do for some security against data breaches. I also scour my name/phone/address via searches to have my info removed where I can. 🤷♀️
That’s a good trick.
I got the same unsettling email. It gave me agida, seriously …
😓