Samsung, Big Tech, and Inconsistent Data Breach Notices
In early September of 2022, South Korean multinational manufacturing conglomerate Samsung announced that the company had experienced a data breach nearly a month prior in July of 2022. More specifically, the notice that the company posted to its security response center stated that “in late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement.” The notice goes on to detail what data elements were compromised during the breach, which included names, dates of birth, and contact details, among other things.
However, while this data breach notice would appear to be one of the many such documents that major businesses such as Samsung post to their online websites on a virtually daily basis, the notice in question is somewhat vague and ambiguous about what caused the data breach event, what forms of information were breached, etc. To this last point, Zack Whittaker, security editor at TechCrunch, wrote an article on the online technology website that highlighted what Samsung’s most recent data breach notice actually means for the millions of customers that utilize the corporation’s products, in accordance with annotation for each sentence that was contained in the notice.
Data vs. security breach
To start off his analysis and annotation, Whittaker addresses the common misconception that the terms data and security breach are interchangeable. The article goes on to say that “not all security incidents are created equally. Malicious hackers don’t always steal data; it depends on how a company’s systems and network is set up and how far the hackers get.” Whittaker goes on to state that the breach notice Samsung recently posted to the company’s website represented the minimal amount of information concerning the event that is legally required for businesses that operate within the U.S., meaning that the breach that occurred was likely more impactful than what has actually been reported thus far.
To illustrate this point further, the breach that Samsung sustained in July of 2022 was the second of such events to have occurred in the past calendar year, as the conglomerate was also attacked by the hacking group known as Lapsus$ in March of this year. For context, Lapsus$ has been involved in a number of other high-profile data breaches involving international corporations in the past year alone, including Nvidia, Qualcomm, and T-Mobile, among others. With all this being said, the data breach that Samsung recently experienced could very well be a result of the company’s failure to protect the personal data of their customers effectively, despite the fact that the breach notice they posted would suggest otherwise.
In spite of the fact that almost every major state or territory within the U.S. has enacted some form of data or security breach notification legislation as of 2022, the level of ambiguity that is present within the privacy policies of major corporations such as Samsung can make it extremely difficult for American citizens to grasp what exact data elements pertaining to them may have been compromised during a particular breach incident. Due to this fact, consumers must be vigilant whenever they suspect their personal data may have been subjected to a data breach, as many large-scale companies will only provide customers with the bare minimum of information that is legally required when they experience such occurrences in practice.