Samsung Warns UK Customers of Data Breach

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Samsung informed in an email notification about a cybersecurity incident that is said to have impacted some of its customers in the UK. The data breach compromised personal information of the said individuals.

The South Korean electronics giant said it discovered the incident on November 13, 2023, however, the breach is said to have occurred between 2019 to 2020. When an unknown actor accessed some customer information by exploiting an external vendor application flaw.

According to the company’s notification , ‘’unauthorized individual exploited a vulnerability in a third-party business application we use, and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2019 and June 30, 2020, was affected.’’

Samsung did not share any details about the security incident, or the third-party application that allowed the threat actor to access the information on its eCommerce site.

Its notification revealed that the compromised information included customers’ name, phone number, postal, and email addresses. It assured its customers that the issue did not impact their passwords and financial information like bank or credit card details.

As per the company’s statement, only customers in the UK seem to be affected by the breach; retailers and customers in other parts of the world appear not to be affected by this. Nevertheless, the necessary security measures have been implemented by the organization to resolve this issue. The incident has also been reported to the UK’s Information Commissioner’s Office.

In the last two years, this is the third time that the tech giant’s system has been breached. In late July 2022 , its US customers were impacted by a data breach wherein their personal data was accessed by an unknown attacker. Prior to this, in March 2022 , Samsung disclosed that its system was infiltrated and internal data stolen, including source code related to operations of Galaxy devices. The statement was released after the Lapsus$ hacking group leaked 190GB of stolen files related to the firm.

Online Pharmacy Truepill’s Data Breach Impacts Over 2 Million Individuals

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Postmeds, operating as Truepill, revealed that unauthorized actors had breached its system and accessed personal information of more than 2.3 million people.

Truepill, an online business-to-business (B2B) pharmacy provider, uses APIs to make pharmacy product deliveries from businesses to consumers (B2C) across all 50 states in the US.

In a public as well as individual email notification , the organization informed recipients about the cybersecurity incident, wherein unknown hackers accessed its internal network between August 30, and September 1, 2023. ‘’On August 31, 2023, we discovered that a bad actor gained access to a subset of files used for pharmacy management and fulfillment services,’’ the notification revealed.

The compromised information includes patients name, types of medication, demographic data (in some instances), and name of prescribing physician. Although the Social Security numbers were not a part of this breach, the exposed data leaves the impacted customers vulnerable to phishing and other types of social engineering attacks.

According to the data published on the US Department of Health and Human Services Office for Civil Rights’ portal, 2,364,359 individuals have been impacted by this breach . However, Truepill in its notification, did not disclose any details about the attack, number of impacted customers, nor type of information breached. Some of the impacted individuals express confusion on social media sites , claiming that they had never availed Truepill’s services.

The security data breach as well as delay in customer notification has resulted in legal ramifications for Truepill (Postmeds). In the past few days, several class action lawsuits have been filed against the organization , citing that it had not adhered to the requisite industrial guidelines for securing customer information. Moreover, insufficient disclosure and delayed notification have also been argued as reasons behind the lawsuit.