Six weeks after a March 26 breach, Western Digital's online store is still unavailable. WD is still investigating how much of its data was copied by the attackers. In light of the assault, it cautioned users to be vigilant of unsolicited emails that requested personal information or asked them to download and run suspicious-looking software on their computers.
According to a May 5 SEC filing by WD, the drive manufacturer's investigation into the IT attack is still ongoing, and most affected systems and services, including MyCloud, are now operating. The week beginning May 15 is when the shut-down MyStore function should reopen. The document verified that at the start of April, WD withdrew its systems and services from the open internet after learning about the incident. It sent products to businesses and other non-consumer customers and still does so today from its plants.
According to its declaration, criminals copied a database used for WD's online store that includes customer names, billing and shipping addresses, email addresses, and telephone numbers. Furthermore, hashed and salted passwords as well as partial credit card information were included in the database in encrypted form. Direct emails from WD to the impacted clients informing them that their information was misused have already started to go out.
Late in April, cybersecurity researcher tweeted that BlackCat, the ransomware group also known as ALPHV that was alleged to have infiltrated WD, had made copies of internal data stolen from the company available to the public and even intruded on a video conference call allegedly involving WD staff or those working for them. The website of BlackCat-ALPHV, which boasts about the companies it has acquired, can be seen below.
In an effort to pressure the manufacturer of hard drives into paying millions of dollars to keep what is allegedly 10TB of stolen information secret, BlackCat started publishing bits and pieces of the stolen WD files on a weekly basis via its blog. According to reports, the data harvest contained firmware files and customer-specific personally identifying data. To our knowledge, Western Digital has not yet paid the ransom as promised, despite the ransomware gang's threat to sell the data to third parties if it didn't.
In its submission, Western Digital said it is "aware that other alleged Western Digital information has been made public," without specifying what that information is. No one would be able to trust any download or document from WD if thieves in the future are able to trick victims by digitally signing emails and files using WD's stolen signing certificate.
"Regarding reports of the potential to fraudulently use digital signing technology purportedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure," WD continues in its SEC filing. We have the capability to revoke certifications as necessary in the event that we must take preventative action to safeguard clients. We would like to advise users to always exercise caution when downloading software from dubious sources online.
In order to prevent their potential use in the future for nefarious purposes, Western Digital can, on the one hand, cancel those stolen certificates. On the other hand, it will necessitate collaboration with partners and developers of operating systems. WD will need to be aware of the extent of any potential certificate fraud before informing consumers that any impacted certificates have been revoked and replaced. This can have financial repercussions.
After the conclusion of the US stock markets today, WD releases its third fiscal 2023 quarter results. The third quarter of its fiscal year (FY) 23 ends at the end of March, therefore the fourth quarter, which ends on June 30, will be impacted by the cyberattack's effects on revenue. WD's executives will likely be questioned about the matter during the earnings call, though.