Samsung, Big Tech, and Inconsistent Data Breach Notices
In early September of 2022, South Korean multinational manufacturing conglomerate Samsung announced that the company had experienced a data breach nearly a month prior in July of 2022. More specifically, the notice that the company posted to its security response center stated that “in late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement.” The notice goes on to detail what data elements were compromised during the breach, which included names, dates of birth, and contact details, among other things.
However, while this data breach notice would appear to be one of the many such documents that major businesses such as Samsung post to their online websites on a virtually daily basis, the notice in question is somewhat vague and ambiguous about what caused the data breach event, what forms of information were breached, etc. To this last point, Zack Whittaker, security editor at TechCrunch, wrote an article on the online technology website that highlighted what Samsung’s most recent data breach notice actually means for the millions of customers that utilize the corporation’s products, in accordance with annotation for each sentence that was contained in the notice.
Data vs. security breach
To start off his analysis and annotation, Whittaker addresses the common misconception that the terms data and security breach are interchangeable. The article goes on to say that “not all security incidents are created equally. Malicious hackers don’t always steal data; it depends on how a company’s systems and network is set up and how far the hackers get.” Whittaker goes on to state that the breach notice Samsung recently posted to the company’s website represented the minimal amount of information concerning the event that is legally required for businesses that operate within the U.S., meaning that the breach that occurred was likely more impactful than what has actually been reported thus far.
To illustrate this point further, the breach that Samsung sustained in July of 2022 was the second of such events to have occurred in the past calendar year, as the conglomerate was also attacked by the hacking group known as Lapsus$ in March of this year. For context, Lapsus$ has been involved in a number of other high-profile data breaches involving international corporations in the past year alone, including Nvidia, Qualcomm, and T-Mobile, among others. With all this being said, the data breach that Samsung recently experienced could very well be a result of the company’s failure to protect the personal data of their customers effectively, despite the fact that the breach notice they posted would suggest otherwise.
Stolen information
The second major point that Whittaker makes when breaking down Samsung’s recent data breach notification is the way in which the company described the forms of information that were compromised during the course of the event. For reference, while Samsung maintains that the data breach they recently sustained “did not impact Social Security numbers or credit and debit card numbers”, the company goes on to say that “the information affected for each relevant customer may vary.” Likewise, Whittaker posits that this last sentence suggests that “not every Samsung customer is affected, but it could also mean that Samsung does not yet know how much data was stolen in its data breach.” Moreover, Whittaker also points out the ways in which Samsung’s privacy policy describes personal information.
While many people will only skim through a privacy policy before accepting it, due to the inherent length and complexity that is often associated with such documentation, consumers may be misled about the fashion in which a company is actually protecting their personal data. For instance, while Samsung has confirmed that demographic data was stolen during the data breach they recently experienced, the company’s privacy policy states that such information is used to “help deliver the best experience possible with our products and services”. For this reason, Whittaker and TechCrunch reached out to Samsung for further information and clarity regarding the company’s privacy policy, albeit to no avail.
Privacy policies
However, Whittaker goes on to argue that even without such clarification, the contents of Samsung’s privacy policy outline the true manner in which the company collects personal information from its customers. For instance, while the U.S. Census may categorize demographic data in terms such as age, sex, and race, Samsung uses this same term to include technical information about user devices, the mobile and online applications that a Samsung customer accesses when using such devices, how users interact with advertisements, and the precise geolocation information of customers. To this end, the actual categories of personal data that were disclosed during Samsung’s most recent breach remain to be seen.
In spite of the fact that almost every major state or territory within the U.S. has enacted some form of data or security breach notification legislation as of 2022, the level of ambiguity that is present within the privacy policies of major corporations such as Samsung can make it extremely difficult for American citizens to grasp what exact data elements pertaining to them may have been compromised during a particular breach incident. Due to this fact, consumers must be vigilant whenever they suspect their personal data may have been subjected to a data breach, as many large-scale companies will only provide customers with the bare minimum of information that is legally required when they experience such occurrences in practice.