Samsung denies Social Security numbers involved in latest breach

Samsung has denied that hackers stole customer data sets that included Social Security numbers after announcing a breach last Friday.

The Korean technology giant published a notice ahead of the holiday weekend notifying customers that their U.S.-based systems were hacked in late July. The company’s security team discovered on August 4 that customer information was affected and they hired a cybersecurity firm in addition to contacting law enforcement.

In its initial notice, Samsung specifically mentioned that the hack did not involve Social Security numbers or credit and debit card numbers, alarming some who questioned why the company had access to that kind of information at all. 

The company said it collects information like Social Security numbers “to help deliver the best experience possible with our products and services.”

According to Samsung’s statement, the breach involved names, contact and demographic information, date of birth, and product registration information. They noted that the information varied depending on the customer. The company began meaning affected customers about the issue last week. 

The company did not respond to requests for comment about how many customers were affected. 

One day after the notice was published, a hacker on a dark web forum claimed to have stolen 190 GB of data from Samsung. 

Data associated with the new Samsung breach reported Friday are for sale on a dark web leak site today.

SSN where applicable and confirming that it does apply here @SamsungUS #cybersecurity #infosec @Samsung https://t.co/1fQES5NI3v pic.twitter.com/P1VDIdFKhw

— Dominic Alvieri (@AlvieriD) September 4, 2022

The data they claimed to have stolen included everything in Samsung’s notice but specifically mentioned that Social Security numbers were included in the breach.

When asked about this, a Samsung spokesperson denied that this is true.

“We want to emphasize the issue did not impact Social Security numbers,” a Samsung spokesperson told The Record. 

On social media, some customers questioned why the company waited one month to report the breach. The company did not respond to requests for comment about this. 

While Samsung also would not explain what “demographic information” referred to, TechCrunch reported that the company updated its privacy policy to explicitly state that the company can use a customer’s geolocation for marketing and advertising purposes. 

“With your separate consent, we may use your precise geolocation to notify you when you are near participating Samsung or third-party stores offering benefits or coupons or for other purposes explained at the time you provide your consent,” the company explained in their privacy policy, which they said was updated on Friday. 

This is the second time in 2022 that Samsung was hacked. In March, the company said the Lapsus$ extortion group hacked their systems and stole troves of data, including Galaxy smartphone source code.