SSD makers admit names, addresses, and encrypted passwords were pinched

Western Digital, the PC storage giants behind some of thebest gaming SSDs, havereleased an updateon a data breach that occurred in late March. Uplifting news, it is not: the “network security incident” was a large-scale case of digital thievery, with the culprits stealing a database containing the names, billing and shipping addresses, email addresses, and telephone numbers of customers to WD’s online store.

The plundered database also included encrypted and salted passwords and partial credit card numbers, according to the statement. Western Digital are contacting affected users directly, and have temporarily shut down their store.

Though the company first publicly acknowledged the breach with apress releaseon April 3rd, more than a week after the March 26th incident took place, Western Digital kept quiet on both the content and the nature of the breach while they investigated.TechCrunch, however, soon reported it as an extortion attempt, with the then-unnamed hackers demanding an eight-figure sum for the stolen data’s return. Ransomware group BlackCat ultimately claimed responsibility, and according to security researcherDominic Alvierihave already been sharing screenshots of other pilfered material including Western Digital’s internal comms and videoconferences.

“We are aware that other alleged Western Digital information has been made public,” the latest WD statement reads. “We are investigating the validity of this data and will continue reporting our findings as appropriate.”

“Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We’d like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet.”

Despite the modus operandi of the apparent thieves, this doesn’t appear to technicallybea ransomware attack, which would normally involve the perpetrator encrypting an application or service to block the victim’s access until they pay up. Still, by Western Digital’s own admission, an awful lot personally identifiable information has fallen into very much the wrong hands. If you’ve bought anSSD or hard drivefrom their official store, be sure to check your email and set about changing your passwords.