Western Digital Confirms Ransomware Group Stole Customer Information

Western Digital confirmed on Friday that cybercriminals have stolen customer and other information after breaching its systems. 

According to the digital storage giant, a security breach was discovered on March 26. In early April, the company shut down some services as part of its incident response activities and informed customers about a cyberattack, but has not shared any updates until May 5. 

Western Digital’s second public statement comes just days after a ransomware group known as Alphv/BlackCat started publishing screenshots showing the extent of their access. The screenshots appear to show video calls, emails and internal documents discussing the cyberattack, as well as internal tools, invoices, and confidential communications.

The hackers have threatened to make public — unless WD pays up — customer personal information, firmware, code signing certificates, and intellectual property. 

In the statement issued on Friday, WD confirmed that the hackers accessed a database associated with its online store that contained customers’ personal information, including name, billing and shipping address, phone number, email address, hashed and salted password, and partial credit card number.

The impacted online store is expected to be restored in the week of May 15. The My Cloud service, which was also shut down following the hack, was restored in mid-April. 

The company said it’s still investigating the validity of the other data made public by the ransomware group. However, it did provide some clarifications regarding digital certificates.

“Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed,” the company said.

In a separate incident that involved digital certificates, a different ransomware group hacked computer manufacturer MSI and recently leaked what appeared to be firmware image signing keys and Intel BootGuard keys associated with several major vendors.

Firmware security company Binarly has analyzed the leaked keys and warned of potentially severe consequences. 

“The signing keys for firmware images allow an attacker to craft malicious firmware updates and it can be delivered through a normal BIOS update process with MSI update tools,” Binarly CEO Alex Matrosov told SecurityWeek. “The Intel BootGuard keys leak impacts the whole ecosystem (not only MSI) and makes this security feature useless.” 

“I think for MSI it will be a complicated situation since to deliver new signing keys they still need to use leaked ones. I don’t believe they do have any revocation mechanisms except just replacing the leaked one with the new key,” Matrosov added. “Regarding Intel BootGuard keys, it’s more complicated because it’s a hardware-based security feature. The Intel BootGuard is not documented. I can only hope Intel has the revocation procedure otherwise the leaked keys will stay forever on impacted devices.”

Related: Payments Giant NCR Hit by Ransomware

Related: Capita Confirms Data Breach After Ransomware Group Offers to Sell Stolen Information