Samsung has confirmed a security breach after hackers obtained and leaked almost 200 gigabytes of confidential data, including source code for various technologies and algorithms for biometric unlock operations.
The Lapsus$ hacking group — the same group that infiltrated Nvidia and subsequently published thousands of employee credentials online — took responsibility for the breach. In a post on its Telegram channel, Lapsus$ claims to have obtained source code for trusted applets installed in Samsung’s TrustZone environment, which Samsung phones use for performing sensitive operations, algorithms for all biometric unlock operations and bootloader source code for all recent Samsung Galaxy devices.
The stolen data also allegedly includes confidential data from U.S. chipmaker Qualcomm, which supplies chipsets for Samsung smartphones sold in the United States.
Access to source code can help threat actors find security vulnerabilities that otherwise might not be easily found, potentially opening affected devices or systems to exploitation or data exfiltration.
A spokesperson for Samsung confirmed a “security breach” related to some internal company data but said no personal data belonging to customers or employees was accessed by the hackers.
“According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees,” Samsung said. "Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”
When reached, Qualcomm said it was aware of an incident reportedly involving Samsung. "We take these claims very seriously and are working expeditiously with Samsung to understand the scope of the incident, as well as to confirm what Qualcomm data, if any, has been impacted. We have no reason to believe that Qualcomm systems or security were impacted as a result of this reported incident," said Qualcomm spokesperson Clare Conley.
It’s not yet clear whether Lapsus$ demanded a ransom from Samsung before leaking the data, as it did with increasingly bizarre demands aimed at Nvidia. The gang called on the U.S. chipmaker to disable its controversial Lite Hash Rate (LHR) feature and demanded it open-source its graphics chip drivers for macOS, Windows and Linux devices.
That deadline came and went on Friday, but the hacking group has yet to follow through with its threat.
Updated with comment from Qualcomm.