Western Digital: Customer info stolen in that IT attack Customer information was stolen from the IT systems of Western Digital in the March security breach we've previously reported, forcing the storage manufacturer to shut down its online store until at least next week. Western Digital (WD) disclosed the intrusion in early April, saying that in late March its engineers discovered …
Right, so you encrypted your users passwords so that they couldn't be misused after a data breach. But it never occurred to you to encrypt their names, addresses, telephone numbers, email, because you didn't realise that these are also commonly used for phishing attacks when they get stolen.
20 years I've been informing companies of this problem, and imploring them to encrypt a lot more of the personal data they hold. And still I encounter the shrug of the shoulders and get told that they don't think it's that important and will make more work for them. Still, this story is one more example to add to my file of reasons why they're wrong.
The really hard part with security is not the technical aspects, which I'm not saying are easy. It is getting the necessary top level management buy-in, backing and enforcemet.
All too often, it is lethargy and lack of a spine at the top that is the root cause.
Like allowing WhatsApp to become a semi-official internal communication tool used in preference to all the organisation provided tools. Simply because the users set it up and like using it.
I got the email from them telling me of this breach and, usefully, it contains only a JPEG of the grovelling apology from some WD bigwig. That JPEG has no explanatory text to go with it and like many I have images deliberately turned off in my email client so all I got on two email clients (gmail on Android 13 and Thunderbird on a desktop) was a blank email from them containing, apparently, nothing at all. Very useful. It was only because I wondered why WD would be sending me a blank email that I bothered to dig through the headers and work out that it was actually from them. I then had to hack through the HTML email source code to extract the JPEG URL so I could read it....
Not a great way to communicate
I don't want an account on shopping sites and I don't see why they need to keep any information on me at all. The tax man doesn't need it otherwise every shop in the high street would demand my name and address every time I bought something. I'd be happy for them to delete all my data once I've confirmed receipt of the product and I'm happy with it. As long as I've got a copy of the delivery data - invoice, order number, receipt, whatever, then any problems after delivery are dealt with in the same way they would be in a physical shop - I send them a copy of the order and tell them what the problem is. All they'd have to do is maintain a database of order number vs date and product sold to confirm I'm not trying to scam them. They'd lose marketing information, of course, but if the fines for not keeping their site secure were high enough then they might decide that the value of the data is not worth it.
Do these international companies have a duty to report within specified time frames to the ICO and EU equivalents when they have a presence in those jurisdictions and their citizens are affected? Have any fines been issued in those cases? It seems as though the WD incident, at least, was sat on for a little while, possibly too long, before they released the information.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
