Dell customer order database of '49M records' stolen, now up for sale on dark web

Dell has confirmed information about its customers and their orders has been stolen from one of its portals. Though the thief claimed to have swiped 49 million records, which are now up for sale on the dark web, the IT giant declined to say how many people may be affected.

According to the US computer maker, the stolen data includes people's names, addresses, and details about their Dell equipment, but does not include sensitive stuff like payment info. Still, its portal was compromosed.

"We recently identified an incident involving a Dell portal with access to a database containing limited types of customer information including name, physical address and certain Dell hardware and order information," a Dell spokesperson told The Register today.

"It did not include financial or payment information, email address, telephone number or any highly sensitive customer data."

A report at the end of last month from the aptly named Daily Dark Web suggested as many as 49 million Dell customers may have had some of their account information taken. The data is said to cover purchases made between 2017 and 2024.

Judging from a screenshot of a sample of the stolen info, the Dell database now up for sale includes the following columns: service tag, items, date, country, warranty, organization name, address, city, province, postal code, customer code, and order number.

Dell says once it discovered the digital break-in, it began an investigation, took steps to contain the damage, notified law enforcement, and hired a third-party forensic firm.

"We continue to monitor the situation and take steps to protect our customers’ information," Dell's spokesperson said. "Although we don’t believe there is significant risk to our customers given the type of information involved, we are taking proactive steps to notify them as appropriate."

In an email to customers, Dell similarly downplayed the significance of the data exposure.

The most recent similar incident at Dell that we're aware of occurred in 2018 when the corporation's network was infiltrated by unknown individuals and the biz reset customer passwords.

Earlier this year, the US Federal Communications Commission expanded its data loss reporting requirements to cover telecommunications and voice-over-IP services.

A recent rulemaking from the US government's CISA, in support of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), looks likely to expand the number of organizations required to report data intrusions to the government within 72 hours. ®