Dell warns of an “incident” in which customers’ personal information may have been exposed

For years, Dell customers have received scam calls from people claiming to be part of the computer maker’s support team. The scammers call from a valid Dell phone number, know the customer’s name and address, and use information that should only be known by Dell and the customer, including the service tag, computer model, and serial number that come with linked to a previous purchase. The callers then attempt to trick the customer into making a payment, installing questionable software, or taking other potentially harmful actions.

According to numerous social media posts like this one, Dell recently informed an unspecified number of customers that names, physical addresses, and hardware and order information related to previous purchases were somehow linked to a “Dell Portal-related incident, which contains: Database containing limited types of customer information.” The vague language, which Dell declined to elaborate on, appears to confirm an April 29 Daily Dark Web post about the offer to sell what it claims are 49 people’s personal information Millions of people are reported to have purchased Dell devices between 2017 and 2024.

The affected customer information is identical in both the Dell notification and the for-sale ad, which was posted and later removed from Breach Forums, an online bazaar for people looking to buy or sell stolen data. According to Dell and the complaint, customer information stolen included:

• Surname
• Physical address
• Dell hardware and ordering information, including service tag, item description, order date and related warranty information

The Daily Dark Web expanded on the data the seller claimed to have acquired:

The data, which purports to be current information registered on Dell servers, includes important personal and corporate information such as full names, addresses, cities, provinces, zip codes, countries, systems unique 7-digit service tags, and system shipping data (Warranty Start Date), Warranty Plans, Serial Numbers (for monitors), Dell Customer Numbers and Dell Order Numbers. Notably, the threat actor claims to be the sole owner of this data, underscoring the severity of the breach. Among the overwhelming number of records, approximately 7 million rows relate to individual/personal purchases, while 11 million relate to companies in the consumer segment. The remaining data refers to companies, partners, schools or unidentified entities.

The “incident,” as Dell lawyers and marketers are calling it — or a similar incident that may have occurred before — would solve a mystery that has plagued customers and reporters for nearly a decade: How fraudsters get hold of information that only Dell and the target customer are known? ? Although none of the sources indicate that phone numbers were affected, it would not be difficult for fraudsters to use names and physical addresses to search other databases for this information.

However, in an email, a Dell representative said, “There is no indication that these incidents are related,” without elaborating. The representative declined to answer further questions, including whether the company has any idea how customer information has ended up in the hands of fraudsters for nearly a decade. The statement continued: “Given the nature of the information involved, we believe there is no significant risk to our customers.”

As I reported in 2016 and again 18 months later, numerous Dell customers reported receiving the calls. Dell’s official response claimed both times that the calls were part of an industry-wide problem plaguing many technology companies. To date, Dell has not admitted that the calls are different because they use information known only to Dell and the customer.

Anyone who receives unsolicited calls claiming to be from Dell should hang up and either ignore them or call the Dell support line directly. You should not contact the caller or provide them with any information. It is also possible that fraudsters who have this information may use it in emails sent to their email address or physical address, assuming the fraudsters can find them through a people search service. The same advice applies.