Samsung Electronics is notifying some of its customers of a data breach that exposed their personal information to an unauthorized individual.

The company says that the cyberattack impacted only customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.

Hacker exploits bug in third-party app

Samsung discovered the data breach two days ago, on November 13, and determined that it was the result of a hacker exploiting a vulnerability in a third-party application the company used.

No details have been provided about the security issue leveraged in the attack or the vulnerable application that enabled the attacker to access Samsung customer's personal information.

The notification to customers says that exposed data may include names, phone numbers, postal and email addresses. The company underlines that credentials or financial information remains unaffected by the incident.

Samsung notifies customers of UK store of a data breach
Samsung alerts customers of a new data breach
source: Michael Valentine

A Samsung spokesperson told BleepingComputer that the company was recently alerted of a cybersecurity incident that is limited to the UK region and does not affect data belonging to customers in the U.S., employees, or retailers.

“We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung UK e-store customers being unlawfully obtained. No financial data, such as bank or credit card details, or customer passwords, were impacted. The incident is limited to the UK and does not affect U.S. customers, employees or retailer data” - Samsung

The company has taken all necessary steps to address the security issue, the representative told BleepingComputer, adding that the incident has also been reported to the UK’s Information Commissioner’s Office.

This is the third data breach Samsung has suffered in two years. The previous one occurred in late July, 2022 - discovered on August 4, when hackers accessed and stole Samsung customers' names, contacts and demographic information, dates of birth, and product registration data.

In March 2022, the data extortion group Lapsus$ breached Samsung’s network and stole confidential information, including source code for Galaxy smartphones.

Samsung confirmed that “certain internal data” had fallen into the hands of an unauthorized party after Lapsus$ leaked about 190GB of archived files along with a description of the contents.

Related Articles:

Microsoft says Russian hackers breached its systems, accessed source code

Philadelphia Inquirer: Data of over 25,000 people stolen in 2023 breach

Change Healthcare hacked using stolen Citrix account with no MFA

Collection agency FBCS warns data breach impacts 1.9 million people

Kaiser Permanente: Data breach may impact 13.4 million patients