Like many of you, I woke up today to a dreadful email from Samsung telling its “valued customers” that it had “discovered a cybersecurity incident” that affected our personal information.
It’s another data breach.
Below is the screenshot of the message I got. My sympathy to anyone who also found it in their inbox.
Dong’s note: This post has been updated to include, among other things, Samsung’s response.
“Security is a top priority” and then something happened
As you might have noted, Samsung started the unexpected letter with “At Samsung, security is a top priority” and then go on to tell us that basically everything is fine going forward as long as we get the annual “free credit report”.
While that might seem formulaic and insincere, I’ll take what the company says at face value and believe Samsung really cares about its customers’ security and privacy. It has all the reasons to do so.
Still, digging a bit, you’ll note that the way Samsung described the incident was vague.
Supposedly in “late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems.” So who was this party and how did they acquire the information?
After that, it took the company until August 4 to find out that the personal information of certain customers was affected. And then almost a month later, on September 2, it informed the affected parties.
These time gaps seem mysterious. What happened during these windows?
Update: I reached out to Samsung with those questions and concerns and here’s what I got from the company after a couple of hours:
We have taken the time to thoroughly understand your inquiry and would like to share the following information.
The protection of our customers’ data is extremely important to Samsung. We were recently made aware of a security incident relating to internal code within the company. According to our initial analysis, this does not include the personal information of our customers. We are continuing to strengthen our security system and have implemented measures to prevent further such incidents. We do not anticipate any impact to our customers.
We regret any inconvenience you may have experienced and appreciate your continued trust in the Samsung brand.
Mind you, none of my questions were addressed.
With this type of canned messages and responses, one has to wonder if there were other incidents the company chose to not disclose. After all, this is the second known data breach of Samsung this year.
Indeed, in March, the company was hacked and allegedly failed to protect its Galaxy smartphones’ source code. Samsung made the incident public only after the hacker taunted some 190GB of stolen data online.
Can you trust Samsung?
Samsung is an electronic giant with the resources to have the best cyber security. And I have no doubt it wants and intends to keep its data safe.
Yet this kind of data breach has happened too often.
This time around, regarding how to prevent similar types of incidents in the future, Samsung offers this public canned and not-so-reassuring message:
“We are committed to protecting the security and privacy of our customers. We have engaged leading cybersecurity experts and are coordinating with law enforcement. We will continue to work diligently to develop and implement immediate and longer-term next steps to further enhance the security across our systems.”
So, in the end, it’s not about if you can trust Samsung but whether Samsung or any company its size can keep itself safe in cyberspace.
And if they can’t — as evidently so in the case of Samsung so far — we, the consumers, are in big trouble until these companies drop the practice of forcing unnecessary “login,” “registration,” or “cloud management” — the common scheme that turns customers into products to further enrich themselves without accountability.
As users, we must consider the risks before getting our device fully or partially connected to Samsung or any vendor. Or if we actually buy this or that brand of hardware at all.
Online privacy and security tips
Fragmenting your exposure by using different services or products for different needs to keep online privacy and security risks low.
The more deeply you get into an “ecosystem” — those of Amazon, Apple, Google, or Facebook — the more likely your privacy is compromised, no matter how you feel or believe.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here’s the most important thing: If you want to keep something completely private, don’t put it on the Internet!
Online privacy and security are a matter of degree. The most important and the best you can do is be aware of the danger and minimize the exposure when possible. If you trust the vendors, or any third party, to do the right things, you’d likely end up in a situation where no credit report can help. Far from it.