Western Digital’s online store is still offline, six weeks after a March 26 cyberattack. WD has not yet completed its probe into how much of its data was copied by the attackers. It warned customers to be wary of unsolicited emails asking for personal details or asking you to download and run suspicious looking stuff on your computer, in relation to the attack.
An SEC filing by WD on May 5 stated the drive maker’s investigation into the IT intrusion is still underway and the majority of impacted systems and services are now operational, including MyCloud. The closed MyStore operation should be back online in the week beginning May 15. The filing confirmed that, when it discovered the attack, WD disconnected its systems and services from the public internet at the beginning of April. It was and is still shipping devices from its factories to business and other non-consumer customers.
Its statement confirms miscreants copied out an internal database used for WD’s online store, which contained “customer names, billing and shipping addresses, email addresses and telephone numbers. In addition, the database contained, in encrypted format, hashed and salted passwords and partial credit card numbers.” WD said it has begun emailing affected customers directly, letting them know their information fell into the wrong hands.
Cybersecurity researcher and analyst Dominic Alvieri tweeted in late April that BlackCat – the ransomware gang also known as ALPHV that was said to have infiltrated WD – had publicly shared copies of internal data swiped from Western Digital, and even invaded a video-conference call said to involve WD staff or those working for them. Below is a snap of BlackCat-ALPHV’s website where it brags about the businesses it’s turned over, including WD:
BlackCat began leaking snippets of the stolen WD files on a weekly basis via its blog in an attempt to coerce the hard drive maker into paying millions of dollars to keep what’s said to be 10TB of purloined documents under wraps. That data haul was said to include firmware files and personally identifiable information pertaining to customers. The ransomware gang threatened to sell the data to others if WD didn’t pay up; so far, Western Digital hasn’t coughed up the ransom, to the best of our knowledge.
WD’s filing stated it is “aware that other alleged Western Digital information has been made public,” without saying what that information is. On April 13 Techcrunch reported the thieves had gained access to WD’s SAP BackOffice system and the drive maker’s code-signing certificate, used to digitally sign files as being authentic WD material.
If crooks in future can deceive victims by using WD’s stolen signing certificate to digitally sign emails and files, no one would be able to trust any download or document from WD.
WD’s SEC statement goes on to say: “Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We’d like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet.”
So on the one hand, Western Digital can cancel those stolen certs so that they can’t, in theory, be used in future for malicious purposes. On the other, it will require cooperation with operating system makers and other partners. WD will need to understand the scope of the possible certificate fraud and tell customers it was revoking and replacing affected certificates. This could have cost implications.
WD reports its third fiscal 2023 quarter results today, after the US stock markets close. Its Q3 finishes at the end of March and the revenue impact from the cyber attack will affect its fourth FY 23 quarter, ending June 30, and not the third quarter. Even so, earnings call analysts can be expected to question WD’s execs about the issue.