Data breach exposes 49 million Dell customers

The technology giant was hacked by Menelik, who has offered to sell the stolen data.

Approximately 49 million of Dell’s customers have been hit by a data breach, the company has announced in an email to current and former customers.

“We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell,” the company said.

In the email, Dell claimed that no highly sensitive customer information, such as financial or payment information, email address or telephone number, was breached. Yet, the company’s investigation indicates that information accessed included:

  • nName;
  • physical address; and
  • Dell hardware and order information, including service tag, item description, date of order and related warranty information.

“We believe there is not a significant risk to our customers given the type of information involved,” Dell said.

Hacker selling data

According to csoonline, the threat actor Menelik announced on April 28 the sale of “data for 49 million customers and other information systems purchased from Dell between 2017-2024” on BreachForums – a new crime site for hackers.

There, Menelik listed that the stolen data included customer information such as city, full name, address, province, postal code, warranty plan, company name, order number, customer number, system shipped date (order date), and the unique seven-digit service tag of the system.

The top five countries with most customers in the leaked database are believed to be the US, China, India, Australia, and Canada. Hacked data is also thought to include information from enterprise clients, partners, educational, institutions, and other entries.

Menelik also claimed to have more information than Dell stated in the email.

“I don’t have email/phone for this 49 million but I do have email and phone number of some several thousand other customers. All recent,” the hacker said on the forum according to csoonline.

BleepingComputer, who has been in contact with Menelik, says that the threat actor harvested the data by generating 5,000 requests per minute for three weeks without Dell blocking the attempts.

The attack was made in March, and details emailed to Dell on April 12 and 14 to report the bug to the company’s security team. Dell’s email to customers was sent a few days ago.

Dell criticised

Dell is reported to have notified law enforcement, and engaged a third-party forensics firm to investigate the incident. “We will continue to monitor the situation,” the company said.

Yet, even if Dell “do not believe there is significant risk” relating to the leaked data, many of the affected customers voiced their anger and concern on Reddit.

  • “So my full name, address, and what I bought are on the web somewhere? “No Significant Risk” huh Dell? lol.”
  • “Addresses are considered personally identifiable information and are subject to strict safeguards in most jurisdictions. How the hell does Dell consider this a limited type of information?”
  • “They claim “no significant risk” yet bad actors having access to your hardware information, including original configuration, is VERY bad imo. They are trying to make this ok and not a big deal, but what they should be doing is warning people to make sure they arent using any default login, change their IDRAC logins etc etc. Poor communications from Dell on this one.”