Samsung has disclosed a security compromise after hackers stole and published nearly 200 terabytes of proprietary data, including source code for various biometric unlock technologies and algorithms.
The Lapsus$ hacker gang, which accessed Nvidia and then exposed thousands of employee passwords online, claimed responsibility for the attack. Lapsus$ claims to have obtained source code for trusted applets installed in Samsung’s TrustZone environment, which Samsung phones use for performing sensitive operations, algorithms for all biometric unlock operations, and bootloader source code for all recent Samsung Galaxy devices in a post on its Telegram channel.
The stolen data allegedly includes confidential data from Qualcomm, a US chipmaker that supplies chipsets for Samsung smartphones sold in the US.
Access to source code can assist threat actors in discovering security flaws that might otherwise go undetected, possibly opening up affected devices or systems to exploitation or data exfiltration.
When reached for comment, representatives for Samsung and Qualcomm did not immediately respond, but in a statement shared with Bloomberg, Samsung confirmed a “security breach” involving certain internal company data but stated that no personal data belonging to customers or employees was accessed by the hackers.
“According to our preliminary analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include personal information about our customers or employees,” Samsung stated in a statement. “At this time, we do not expect any impact on our business or customers.” We have put in place safeguards to prevent similar situations in the future, and we will continue to serve our clients without interruption.”
It’s unclear whether Lapsus$ demanded a ransom from Samsung before leaking the data, like it did with increasingly odd demands made against Nvidia. The gang asked that the American chipmaker disable its contentious Lite Hash Rate (LHR) feature and open-source its graphics chip drivers for macOS, Windows, and Linux devices.
That deadline passed on Friday, but the hacker organization has failed to carry out its threat.