In a communication with Bleepingcomputer, Dell has recently acknowledged a breach to its Customer Solutions Centers platform, which encompasses a variety of programs for evaluating technology solutions. The Dell Customer Solutions Centers are partitioned from the rest of Dell’s customer-facing networks and internals systems, so the breach affecting this platform should not pose much risk to customer data or sensitive internal data.
Dell representatives state that the data used in this platform is primarily synthetic, but other data that is in use includes data that is already publicly available, non-sensitive information, or testing data. A sample of the data obtained from this leak has been published on the World Leaks data leak site. The volume of the data is stated as approximately 1.3 TB, and the full package contains over 400,000 files, consisting of a wide variety of things like configuration scripts, system backups, and materials linked to several different Dell products.
At the time of writing, the incident is still under investigation at Dell, so more information on this breach is likely to come to light in the coming days. Interestingly, the World Leaks organization continues to insist their stolen data is authentic and valuable, contrary to statements made by Dell about everything being fake and/or outdated.
As we’ve alluded to up to this point, Dell has had quite a history as far as data breaches are concerned, especially in the last year. Most recently in September of 2024, Dell confirmed that they were investigating a claim of multiple breaches perpetrated by the threat actor known as “grep” with assistance from another threat actor named “chucky.”
The data corresponding to this breach was posted to Breached forums by grep themselves, and purportedly contained sensitive details on Dell employees and partners like employee IDs, full names, employment status, etc. A second breach announcement followed shortly thereafter, also by “grep” claiming that they had been able to compromise Dell’s Atlassian environment and obtain access to a variety of files like Jira documents, database tables, schema migration data, etc.
Earlier in May of 2024, Dell confirmed a breach perpetrated by the threat actor named Menelik. This breach contained approximately 49 million customer records, which Menelik was able to access by utilizing a Dell partner portal posing as a fake company. At the time, it seems that anyone was able to register for a partner portal without any verification.
Moving back a little further, in November of 2018 Dell had reported they had experienced a “cybersecurity incident” when an unknown group of attackers attempted to infiltrate their internal networks and steal customer information, including names, email addresses, and hashed passwords. For this incident, Dell found no evidence that any customer information was extracted. They also required a mandatory password reset for all accounts on Dell.com.
World leaks is one of the most active data extortion actors in 2025. They originally operated as a ransomware-as-a-service platform under the name of Hunters International, which shared several similarities with Hive ransomware. They worked with affiliates to compromise systems, encrypt files, and demand a ransom. The Hunters International operation was shut down in January of this year.
With this rebrand came a slight shift in tactics. The group is no longer focusing on deploying ransomware but is instead focused on data theft and extortion. This move means they can now avoid any heavy lifting and complication ransomware tactics may require. The group tends to target less secure or non-production environments, as we've seen with this Dell incident. They also manage a dark web leak site for the purpose of showcasing victims and pressuring for payments.
In addition to this Dell attack, they are also noted as being responsible for a breach of Kentfield Hospital in California earlier this month, claiming to have exfiltrated nearly 150GB of protected health information. They have also taken credit for attacking the Swiss company Chain-IQ recently, claiming to have stolen over 900GB worth of business contact data for their employees.
In summary, Dell acknowledged to BleepingComputer that their Customer Solution Centers platform had been breached. They do state that the data stolen is primarily fake, but the World Leaks data site indicates that approximately 1.3TB of data has been stolen. Samples indicate the data contains a variety of configuration files and system backups.
Unfortunately, Dell is not a stranger to breach incidents, especially in the last year. In September of last year, they were investigating a duo of breaches containing information on their employees and files contained within their Atlassian environment. In May of last year, they were subject to another breach involving approximately 49 million customer records.
Finally, World Leaks is a rebrand of the Hunters International group, which was a prominent ransomware group that dissolved in January of this year. In addition to the name change, the group has also switched focus from deploying ransomware to a more direct data theft and extortion approach. They are responsible for several attacks this year including against a hospital in California and a supply chain management company in Switzerland.
[4]: https://www.ampcuscyber.com/shadowopsintel/dell-test-lab-compromise-goes-public/
[6]: https://hipaatimes.com/world-leaks-strikes-california-hospital-in-massive-patient-data-heist
[7]: https://therecord.media/hackers-hit-dell-product-demo-platform-limited-impact
[8]: https://www.scworld.com/brief/dell-downplays-worldleaks-claimed-data-breach
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments