Western Digital confirms ransomware actors stole customer data

Western Digital disclosed that customer data was stolen in a ransomware attack on March 26 and acknowledged reports of data leaks, which appear to be legitimate.

The California-based storage vendor first disclosed the attack on April 2, announcing that a "network security incident" rendered its My Cloud and SanDisk services inaccessible and that an investigation into data theft was ongoing. While Western Digital managed to restore services 11 days after the breach, other problems arose.

Last month, the Alphv ransomware group, also known as BlackCat, claimed responsibility for the attack through its public data leak site, used to pressure victims into paying. In an update late Friday, Western Digital confirmed that customer data was stolen, including names, billing and shipping addresses, emails, telephone numbers, and encrypted passwords.

The update also acknowledged Alphv's ongoing extortion tactics.

"We are aware that other alleged Western Digital information has been made public. We are investigating the validity of this data and will continue reporting our findings as appropriate," Western Digital wrote in the update.

On April 17, Alphv listed Western Digital on its public leak site. Less than two weeks later, security researcher Dominic Alvieri shared a screenshot in which Alphv claimed that it had obtained full access to a backup of Western Digital's SAP back office. Perhaps more concerning, the ransomware gang claimed to have stolen video conference footage from a Western Digital meeting and code signing certificates.

"Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure. In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed," the update read. "We'd like to remind consumers to always use caution when downloading applications from non-reputable sources on the internet."

Ransomware groups such as Alphv use increasingly aggressive extortion tactics if a victim is not paying.

While Western Digital's update confirmed that attackers obtained a copy of the storage vendor's database for its online store, additional questions remain more than one month after the attack first came to light. Western Digital has not revealed the attack vector or whether ransomware was involved; the scope of affected customer data is also unclear. The vendor said it would communicate with customers who were directly affected by the data breach.

Western Digital did not respond to requests for comment at press time.

Arielle Waldman is a Boston-based reporter covering enterprise security news.