Anatomy of a Breach

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

> series: anatomy_of_a_breach —— part: 172 —— target: western_digital —— data_stolen: 10TB —— my_cloud: offline_2_weeks<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2023 12 min read
data-breach western-digital my-cloud 10tb alphv blackcat data-storage series
Breach #172

A data storage company. 10TB stolen. My Cloud offline for two weeks. The irony writes itself.

On 3 April 2023, Western Digital disclosed that an unauthorised party had gained access to its internal systems and obtained data. The company took its My Cloud consumer cloud storage platform offline as a precautionary measure — locking millions of users out of their own files, photos, and backups for approximately two weeks. The attackers claimed to have stolen approximately 10 terabytes of internal data.

The group behind the attack — associated with the ALPHV/BlackCat ransomware operation — published evidence of their access including screenshots of internal videoconferences, SAP backend systems, and executive emails. They demanded a 'minimum 8 figure' ransom and threatened to publish the stolen data. Western Digital did not pay. The breach was particularly embarrassing for a company whose core business is data storage and protection — joining the pattern of security and infrastructure vendors breached throughout this series: RSA, LastPass, Imperva, NordVPN, and now Western Digital.

Users Locked Out
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

My Cloud offline. Users could not access their own data. For two weeks.

Cloud Dependency Risk
Millions of My Cloud users discovered that 'their' cloud data was accessible only when Western Digital's systems were operational. The two-week outage highlighted cloud dependency risk — when your cloud provider is breached or disrupted, your data is inaccessible. <a href="/penetration-testing/cloud-configuration-review">Cloud configuration reviews</a> assess cloud dependency and data portability.
The Storage Company Could Not Protect Its Own Data
Western Digital's entire business is storing and protecting data — yet it could not protect its own internal systems from a 10TB theft. Like <a href="/blog/anatomy-of-a-breach-hbgary-federal">HBGary Federal</a> and <a href="/blog/anatomy-of-a-breach-imperva">Imperva</a>, the breach proved that domain expertise does not confer defensive immunity. Our <a href="/penetration-testing">penetration testing</a> verifies security regardless of the organisation's claimed expertise.
Internal Communications Exposed
Videoconference screenshots and internal emails were published — continuing the pattern from <a href="/blog/anatomy-of-a-breach-sony-pictures">Sony Pictures</a> (2014), the <a href="/blog/anatomy-of-a-breach-dnc-hack">DNC</a> (2016), and <a href="/blog/anatomy-of-a-breach-hbo-hack">HBO</a> (2017): internal communications, once stolen, are invariably weaponised for embarrassment and leverage.
ALPHV/BlackCat: Sophisticated Ransomware Operation
ALPHV/BlackCat was one of the most active ransomware-as-a-service operations of 2022-2023, known for targeting high-profile organisations and using advanced extortion techniques. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for ALPHV/BlackCat indicators. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence</a> tracks ransomware group operations.
Lessons

Your data's safety depends on your provider's security. Not their brand.

Western Digital's breach proved that a company's brand, reputation, and domain expertise do not guarantee its security. For UK organisations selecting cloud storage, backup, and data management providers, the provider's actual security posture — verified through testing and auditing, not marketing — must be the basis of trust. Cyber Essentials of providers demonstrates baseline security. Our penetration testing verifies actual security. SOC in a Box monitors for the anomalous activity that indicates vendor compromise. And UK Cyber Defence provides incident response when storage and backup providers are breached.

Provider Security

Western Digital — a data storage company — had 10TB stolen. Is your data provider tested?

<a href="/penetration-testing">Penetration testing</a> verifies provider security. <a href="/cyber-essentials">Cyber Essentials</a> certifies the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for provider compromise.

Commission a Security Assessment Next: MOVEit / Cl0p
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2024

Anatomy of a Breach: Change Healthcare — Ransomware Halts US Healthcare Payment Processing for Weeks

Breach #183. On 21 February 2024, ALPHV/BlackCat ransomware struck Change Healthcare — a UnitedHealth Group subsidiary that processes approximately 15 billion healthcare transactions annually, handling claims and payments for an estimated one-third of all US patient records. The attack halted healthcare payment processing across the United States for weeks, preventing pharmacies from processing prescriptions, delaying insurance claims, and threatening the financial viability of healthcare providers who could not receive payment. UnitedHealth paid a $22 million ransom. The breach affected approximately 100 million individuals — the largest healthcare breach in US history.

ransomware change-healthcare
15 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
All Posts Get in Touch