Attackers try to shake down WD for eight figures, claim to have 10TB of data

Western Digital internal systems were broken into on April 3, with data exfiltrated and its My Cloud services going offline. Now some individuals claiming to be the attackers are reportedly demanding an eight-figure payment, threatening to publish sensitive information if WD doesn’t cough up.

An SEC filing at the beginning of the month by Western Digital confirmed: “An unauthorized third party gained access to a number of the Company’s systems.” Western Digital detected the event and started an investigation into what happened with external security and forensic experts. It is coordinating with law enforcement agencies and took certain services offline, such as MyCloud.

The company said it “is actively working to restore impacted infrastructure and services.” It “believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”  Western Digital’s response to the incident “has caused and may continue to cause disruption to parts of the Company’s business operations.” For example, online product ordering is suspended in the UK.

Now TechCrunch reports that the supposed attackers told it they had extracted 10TB of data, including customer information, from Western Digital’s systems and want to extort a minimum eight-figure payment (at least $10,000,000) to stop them publishing it. Western Digital has apparently not been cooperating with the individuals.

The outlet said it was given samples of the stolen information that included what appeared to be Western Digital exec phone numbers, code-signing certificates, internal emails, a Western Digital Box account screenshot and other data. The miscreants claimed to have copied data from Western Digital’s SAP Backoffice eCommerce facility and from a PrivateArk instance. All this suggests the group potentially had access to Western Digital’s internal systems for quite some time and gained privileged access.

WD did not comment on this.

WD’s CISO is Phil Malatras although he only took up that position in March, replacing Geoffrey Aranoff. Malatras was previously Chief Security Officer for its Federal division and a senior director of Global Information Security. He’s certainly having a baptism of fire in his CISO role.

We have contacted WD and asked if it has any comment to make about its progress in recovering from the incident and helping to prevent similar attacks on other organizations in the future.

MyCloud services came back online on April 12.