Hours before a long holiday weekend in the United States, electronics giant Samsung announced its U.S. systems were breached a month earlier by malicious hackers, who broke in and made off with gobs of personal information about an unspecified number of its customers.
The data breach is likely significant. Samsung is one of the largest technology companies with hundreds of millions of device owners — and users — around the world. But Samsung’s poorly explained data breach notice, coupled with its unexplained delay in disclosing the data breach, left customers reading the tea-leaves and without a clear idea of what they can do to protect themselves, if at all.
TechCrunch has marked up and annotated Samsung’s data breach notice 🖍️ with our analysis of what it means — and what Samsung leaves out.
Spokespeople for Samsung, via crisis communications firm Edelman, declined to answer the questions we sent prior to publication, citing the “ongoing nature of our coordination with law enforcement.”
What Samsung said in its data breach notice
Samsung knows it security incident is a data breach
Not all security incidents are created equally. Malicious hackers don’t always steal data; it depends on how a company’s systems and network is set up and how far the hackers get. In this case, Samsung knows that data was “acquired” 🖍️ — or exfiltrated — by the hackers.
Remember, this is only the initial breach disclosure. Samsung is providing the very minimum of what the company has to tell you. The fact that hackers accessed customers’ personal information either shows Samsung did not protect that data as well as it should, or that the hackers had such deep access to Samsung’s network that they were able to access customer data and presumably other highly sensitive files. This is also Samsung’s second known data breach this year after the Lapsus$ hacking crew stole source code and other confidential internal documents from the company’s systems in March, though no customer information was taken.
Customers’ personal information was stolen
Samsung says in its data breach notice 🖍️ that the hackers “in some cases” took customer names, contact and demographic information, date of birth, and product registration information. That suggests not every Samsung customer is affected, but it could also mean that Samsung does not yet know how much data was stolen in its data breach.
Names and dates of birth are personal information. It is less clear what other data was stolen, but the clues are in the privacy policy.
Samsung previously told TechCrunch that customers provide information when registering their devices to access “service and support, warranty information, software updates, and exclusive offers for the purchase of future Samsung products.” This data includes the Samsung product model, date of purchase, and the device’s unique identifier, such as an IMEI number for phones and advertising IDs, or serial numbers for other devices like smart TVs.
Unique identifiers are designed to be pseudonymous so that in the event of a data breach, these randomized strings of letters and numbers wouldn’t be of much use. But unique identifiers are not fully anonymized and can be combined with other data for targeted advertising or for identifying users or tracking someone’s online activity.
Demographic data includes precise geolocation data
Samsung’s data breach notice includes a vague mention of “demographic information” that was stolen by the hackers. Samsung says it collects this unspecified demographic information 🖍️ to “help deliver the best experience possible with our products and services” — or another way of saying targeted advertising.
Samsung’s U.S. privacy policy explains this more explicitly. “Ad networks allow us to target our messaging to users considering demographic data, users’ inferred interests, and browsing context. These networks can track users’ online activities over time by collecting information through automated means, including through the use of browser cookies, web beacons, pixels, device identifiers, server logs, and other similar technologies.”
Samsung declined to tell TechCrunch what specific data “demographic information” includes, but there are more clues in the company’s separate privacy policy for advertising, which it links to in the data breach notice and explains what demographic information includes.
The list is long, and you should take the time to read it closely for yourself. The abridged version is that Samsung collects technical information about your phone or other device, how you use your device, like which apps you have installed and which websites you visit, and how you interact with ads, which are used by advertisers and data brokers to infer information about you. The data can also include your “precise geolocation data,” which can be used to identify where you go and who you meet with. Samsung says it collects information about what you watch on its smart TVs, including which channels and programs you’ve watched.
Samsung also says it “may obtain other behavioral and demographic data from trusted third-party data sources,” which means Samsung buys data from other companies and combines it with its own stores of customer information to learn more about you, again for targeted advertising. Samsung would not say which companies, such as data brokers, it obtains this data from.
But that same data in the hands of bad actors can reveal a lot about a person and their online habits.
Why doesn’t Samsung just say any of this in its data breach notice? While the data may not be personally identifiable, it’s still personal in nature since it is linked to tastes, preferences and our real-world activity, which is why the nitty-gritty details of what companies like Samsung collect about you is often buried in the privacy policies that nobody reads (and we’re all guilty of this).
Samsung declined to say if data sourced from third-parties was compromised in its breach, but did not dispute our characterizations when spokespeople were reached prior to publication.
What Samsung isn’t saying in its data breach notice
Samsung won’t say how many customers are affected
Samsung declined to tell TechCrunch how many customers are affected by the breach. It could be that either Samsung doesn’t know, which is unlikely since it has already emailed customers it believes are affected. Or, what is more likely 🖍️, is that the number of customers affected is so large that Samsung doesn’t want you to know because the company would find it embarrassing.
Samsung has hundreds of millions of users, but seldom breaks out how many customers it has. Even 1% of affected customers could still amount to millions, or tens of millions of affected users.
It’s unclear why Social Security numbers are mentioned
The data breach notice conspicuously notes 🖍️ that the breach “did not impact Social Security numbers or credit and debit card numbers.” Reassuring on the face of it, but the wording is unclear. TechCrunch asked Samsung if it collects and stores Social Security numbers and that this data is unaffected, but the company declined to say — only that the issue “did not impact” Social Security numbers. Samsung collects Social Security numbers as part of its financing options and as a requirement for users of Samsung Money.
Why did it take a month to notify customers?
Looking at the timeline of the breach 🖍️, Samsung says the hackers stole data in “late July 2022,” which a generous reading could interpret as any point past the middle of July. Samsung could disclose the date — if it knows it. It’s also worth noting that this is the date that Samsung says that data was exfiltrated from its network and this does not include how much time the hackers spent in Samsung’s systems before they were finally discovered. It discovered the exfiltration of data on August 4, which means Samsung did not know for weeks that customer data had been stolen.
As for disclosing the breach a month later, just hours before close of business on a Friday before a long holiday weekend? Well, that’s just bad PR.
Samsung updated its privacy policy as it disclosed its breach
On the same day it announced its data breach, Samsung also pushed a new privacy policy to its users. Thanks to a reader who alerted TechCrunch to this, the new policy now explicitly states 🖍️ that Samsung can use a customer’s “precise geolocation” for marketing and advertising with the user’s consent. The new policy also now spells out 🖍️ for how long Samsung stores data that users share from the Quick Share feature. Samsung says it may “collect the contents you share, which will remain available for 3 days.”
TechCrunch asked Samsung how it defines what it defines as user consent, but a spokesperson would not say. Samsung would not say for what reason it pushed a new privacy policy, but claimed the update was “unrelated” to the incident and was previously planned.
If you know more about Samsung’s data breach or work at Samsung, you can contact this author via Signal at +1 646.755.8849 or via SecureDrop.