Dell is warning customers that their names, physical addresses and some order information may have been accessed in a recent cybersecurity incident.
A threat actor known as Menelik made a post on the cybercrime site BreachForums on April 28 claiming to have access to 49 million customer records from Dell, according to a screenshot published by Malwarebytes.
Menelik claimed the data came from “Dell servers” and included full names and company names of customers, physical addresses, warranty information and order information such as system shipped date and serial numbers of monitors.
Around Wednesday this week, customers began reporting on social media that they received an email from Dell warning their name, address and order information, including information on Dell hardware, may have been compromised.
A version of the email posted by a Reddit user Wednesday directs affected customers to a Dell blog post on avoiding phone scams and said suspicious activity related to Dell accounts and purchases should be reported to [email protected].
A statement from Dell provided to SC Media contains similar language to the notification email shared on social media, stating: “We recently identified an incident involving a Dell portal with access to a database containing limited types of customer information including name, physical address, and certain Dell hardware and other information. It did not include financial or payment information, email address, telephone number or any highly sensitive customer data.”
Dell declined to provide further information about the incident, such as how many customers were affected and how the database was accessed, saying, “we are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement.”
While Dell’s statement said “we don’t believe there is a significant risk to our customers given the type of information involved,” there are still some risks to having one’s name and physical address exposed.
For example, these details could be leveraged as a means to obtain further personal details leading to identity theft and fraud, according to Trend Micro. Additionally, criminals can conduct specific address-related scams, such as making an unauthorized change of address or posting a fake rental ad under your name, according to Bitdefender.
Dell’s blog post on avoiding phone scams, first published in 2018, warns that fraudsters impersonating Dell technical support staff may solicit personal information, payment and remote system access. The post advises customers to never disclose information or give remote access to these unsolicited callers, even if they have specific information about one’s system, and that Dell never asks for gift cards or for funds to be wired as payment.
Dell declined to confirm to SC Media the validity of the Breach Forums posting, although TechCrunch reported Friday morning that some of the data provided by Menelik matched the real information of Dell customers. Menelik told TechCrunch he registered and was approved as a Dell “partner” – someone who resells Dell products and services – under several different names and then brute-forced customer service tags to request “more than 5,000 requests per minute” to the database to scrape additional data.
The threat actor claimed he continued this process for three weeks without being detected. A Dell spokesperson told TechCrunch, “Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement.”
