Dell Inc. has reset all customer passwords in response to a hacking attempt on Nov. 9.
In a statement Wednesday, Dell said it had detected and disrupted unauthorized activity on its network attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords.
Playing it safe, the computer systems maker added that “though it is possible some… information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.” The form of the attack was not disclosed.
Stephen Moore, chief security strategist at Exabeam Inc., told in a report that large organizations — especially ones the size of Dell — are usually responsible for massive amounts of data.
“All of that data gives attackers more places to hide,” Moore explained. “For example, some of the hackers can easily enter a network with the mass of a less sensitive — and thus less monitored — vector such as an unprotected cloud server, an IoT device or any type of the shared team member laptop. They can than even move laterally from that single point of a device to access critical resources spread across the organization.”
For that reason, he added, organizations must shift their enterprise security strategy. “Network security simply isn’t enough,” Moore said. “The key is to simply move fast and then try to consider an approach which is as of now closely aligned with monitoring different set of user behavior — to provide the necessary visibility needed to restore trust, and react in real time, to protect customer data. This should also include the ability to detect, with the help of a behavioral characteristics, when events have occurred.”
Matan Or-El, chief executive officer of Panorays Inc., noted that cybercriminals will repeatedly pummel websites, probing for a way to get in, especially with large companies such as Dell.
“While Dell took immediate action once the unauthorized activity was detected, it still took almost 21 days to let customers know that they needed to change their passwords,” Or-El said. “New data privacy laws going into effect will start to force companies to report incidents like these in 72 hours, so that consumers can mitigate the impact to their personal information or credit cards.”