Western Digital restores service; attack details remain unclear
While Western Digital confirmed that it suffered a data breach on March 26, the storage company has not offered details about the attack scope or whether ransomware was involved.
Western Digital Corporation restored its services Wednesday, less than two weeks after a network breach caused significant outages, though the nature of the attack remains unclear.
On April 3, the California-based storage vendor disclosed that a network security incident had interrupted customer access to its SanDisk and My Cloud services, including My Cloud Home, My Cloud Home Duo, My Cloud OS 5 and more. Western Digital also confirmed that the attack, which began on March 26, resulted in data theft and that an investigation with law enforcement was ongoing.
UPDATE 5/1: The Alphv ransomware gang, also known as Blackcat, leaked sensitive data Friday, including videoconference meeting footage, that apparently belongs to Western Digital. Security researcher Dominic Alvieri shared screenshots of the group's data leak site on Twitter Thursday. One screenshot showed a letter from Alphv threatening to leak Western Digital data every week before it decides to sell it. Operators claim to have access to code signing certificates, firmware, personally identifiable information of customers and more. Alphv also claimed it stole a full backup of Western Digital's SAP Back Office that contains data going back to the last week of March.
As of Thursday, Western Digital's website still displays a banner that says, "We'll be back soon: We are unable to process orders at this time." However, according to its My Cloud incidents history page, the service outage was resolved on Wednesday, only 11 days after the attack caused business disruptions. Some recent cyber attacks, specifically those involving ransomware, have caused weeks or months of delays for businesses across a variety of sectors.
While questions remain about who was responsible for the attack, what led to prolonged outages, the amount and types of stolen data, and whether the incident involved ransomware, Western Digital notifications shed light on the disruptions and recovery process. Initially, the attack disrupted access to the company's personal cloud storage device platform called My Cloud Home, as well as SanDisk Ibi and SanDisk Ixpand Wireless Charger services.
Customers can use My Cloud to back up data such as photos and videos. Western Digital acquired SanDisk in 2016, and that product line includes memory cards, USB flash drives, external drives and other offerings.
An update on April 7 revealed that continued service interruptions were preventing customers from logging in to files and applications provided for their products, including mobile, desktop and web apps. Examples of products include hard disk drives, NAND flash-based storage devices and enterprise storage platforms.
On the other hand, there was a hint of good news for customers as well. Western Digital confirmed in the update that users could begin accessing files through the Local Access feature.
"During this service interruption, you may now access files stored locally on your device using a feature called Local Access," the update said. "To enable Local Access, use your favorite browser and connect to your device's dashboard."
However, Western Digital's support page that provides details on how to access Local Access said the procedure is applicable for existing users of My Cloud Home and My Cloud Home Duo. One specificity noted that "those network mapped drives will only provide data for the individual user account which has local access enabled." It is unclear how many customers had that feature enabled before the attack affected My Cloud services.
In addition, using the Local Access feature required users to log in to their My Cloud account, but the My Cloud domain was offline for several days after the attack. The service and website are both currently back online.
As of April 12, Western Digital confirmed that "[s]ervices are back online and fully operational," though details into the recovery process remain unclear. According to the April 3 press release, it does not appear that Western Digital forced its services offline once it became aware that an attack was in progress, but it might do so in the future.
"The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate," Western Digital wrote in the press release.
Western Digital did not respond to requests for comment.
Arielle Waldman is a Boston-based reporter covering enterprise security news.