Dell announced late on Nov. 28 that its Dell.com customer-facing website was the victim of a cyber-attack.
The attack was apparently discovered by Dell on Nov. 9, with attackers taking aim at usernames, email addresses and passwords that had been cryptographically hashed. According to Dell, it has no evidence that customer information was actually removed from the site.
“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement,” Dell stated in a media advisory on the cyber-security incident.
Dell emphasized in its advisory that it has risk mitigation measures in place to deal with cyber-security incidents. The company noted that credit card information was not targeted and there was no direct impact on Dell’s products or services.
Password hashing, which is what Dell has in place for customers on Dell.com, is a cryptographic approach to scrambling and protecting passwords, such that if an attacker gets the password hash, it’s still not easily usable. Going a step further, Dell announced that it has initiated a mandatory password reset for all of its Dell.com users to further mitigate any potential risk.
“Hashed passwords, along with the password reset, limit exposure of customers’ account information,” Dell wrote in a customer update note on the cyber-security incident. “Customers are encouraged to change passwords for other accounts if they use the same password for their Dell.com account.”
Dell has not yet publicly stated if it has determined the root cause of the attack or where it came from. That said, Dell stated it has engaged with law enforcement as well as a digital forensics firm to conduct additional investigation and analysis.
“We are disclosing this incident now based on findings communicated to us by our independent digital forensics firm about the attempted extraction,” Dell stated.
Industry reaction to the Dell website hack disclosure has been somewhat mixed, though experts contacted by eWEEK were largely positive about how Dell has handled the situation.
“Dell has responded to the incident very well overall,” Joe Perry, director of research at Cybrary, told eWEEK. “They took immediate steps to correct the problem, performed the kind of analysis necessary to identify whether the breach caused actual data loss, then released a statement with the information they have.”
Perry added that Dell probably could have made the disclosure earlier, but two weeks isn’t a terrible timeline in view of the fact that the company took immediate action.
Brian Contos, chief information security officer and vice president of Technology Innovation at Verodin, was somewhat less positive about the Dell cyber-security incident. According to Contos, the incident is yet another example of a company that has the talent and technology to do things right but still suffers from a breach.
“There is a gap in almost every organization—midsized, F500s, G2000s and government agencies—between how we think our security tools are working and how our security tools are actually working,” he told eWEEK. “As such, we can have all the right tech with all the best people and still suffer a breach.”
For enterprises, Contos said there needs to be a mind shift that occurs to make breaches less common. In his view, the shift that is needed is a focus on validating the effectiveness of actual security tools—what’s working, what’s not, and how to fix it—instead of the relying on assumption-based security and hoping that security tools are actually providing value.
For end users, Perry said password reuse is a primary concern.
“You know that password you keep reusing? Stop it. But since you’re not going to stop reusing your password, at least change it on all of your other sites,” Perry said. “Password reuse is one of the main value-adds of breaches like this, and supposedly secure sites like Dell see more reuse than sites like Facebook or Twitter, which have histories of password disclosure.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.