A hacker alias 888 claimed responsibility for breaching Samsung Medison, a South Korean medical device subsidiary of Samsung, via a third-party contractor attack. The exposed data includes source code, private keys, SMTP credentials, hardcoded credentials, user PII (healthcare backup records), MSSQL database dumps, and AWS S3 cloud storage exports—all allegedly extracted and offered for sale on a cybercrime forum. Screenshots shared by the hacker reveal backend database content (SQL tables), employee/user records, internal logs, and cloud directories tied to Samsung Medison’s healthcare environment.The leaked data poses severe risks, including identity theft, targeted phishing, and follow-up cyber intrusions, given the sensitivity of healthcare-related PII (names, emails, country details, and system logs). The hacker, with a history of high-profile breaches (e.g., Microsoft and Nokia in 2024), demanded payment in Monero (XMR) for the one-time sale. Samsung has not yet confirmed the breach’s authenticity, but if validated, the incident could trigger regulatory penalties, reputational damage, and operational disruptions in critical medical imaging systems used globally in hospitals and clinics.
Source: https://hackread.com/hacker-samsung-medison-data-breach-3rd-party/
TPRM report: https://www.rankiteo.com/company/samsung-medison
"id": "sam4692346111925",
"linkid": "samsung-medison",
"type": "Breach",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['healthcare',
'medical devices',
'medical imaging'],
'location': 'South Korea',
'name': 'Samsung Medison Co., Ltd',
'type': 'subsidiary'}],
'attack_vector': ['third-party vendor compromise',
'credential harvesting',
'data exfiltration'],
'data_breach': {'data_exfiltration': ['confirmed (MSSQL and AWS S3 data '
'exported and dumped)'],
'file_types_exposed': ['SQL tables',
'configuration files',
'cloud directories',
'logs',
'backup files'],
'personally_identifiable_information': ['names',
'emails',
'country details',
'employee records'],
'sensitivity_of_data': ['high (healthcare PII, credentials, '
'proprietary source code)'],
'type_of_data_compromised': ['source code',
'credentials (private keys, '
'SMTP, hardcoded)',
'PII (names, emails, country '
'details)',
'database records (SQL)',
'cloud storage data (AWS S3)',
'internal logs',
'healthcare backup data']},
'date_publicly_disclosed': '2025-11-13',
'description': "A hacker using the alias '888' on a cybercrime forum is "
'offering internal records and data claimed to belong to '
'Samsung, specifically Samsung Medison (a healthcare '
'subsidiary). The breach reportedly originated from an attack '
'on a third-party contractor, granting access to sensitive '
'data including source code, private keys, SMTP credentials, '
'configuration files, hardcoded credentials, user PII from a '
'healthcare backup, MSSQL databases, and AWS S3 storage. The '
'data is being sold as a one-time offer, with payment demanded '
'in Monero (XMR). Screenshots shared by the hacker appear to '
'show backend database content and cloud storage data from '
"Samsung Medison's healthcare environment, including SQL "
'tables, user/employee records, internal logs, and exported '
'cloud directories. The incident poses significant privacy and '
'security risks, as the exposed data includes names, emails, '
'country details, SQL records, and cloud logs tied to a '
'healthcare setting.',
'impact': {'brand_reputation_impact': ['potential reputational damage due to '
'healthcare data exposure',
'risk of follow-up attacks'],
'data_compromised': ['source code',
'private keys',
'SMTP credentials',
'configuration files',
'hardcoded credentials',
'user PII (healthcare backup)',
'MSSQL database records',
'AWS S3 cloud storage data',
'SQL tables',
'user/employee records',
'internal logs',
'exported cloud directories',
'names',
'emails',
'country details'],
'identity_theft_risk': ['high (PII and credentials exposed)'],
'legal_liabilities': ['potential GDPR/HIPAA violations (if '
'healthcare data confirmed)',
'regulatory scrutiny'],
'systems_affected': ['MSSQL databases',
'AWS S3 storage',
'backend healthcare systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['one-time sale via '
'Keybase, payment in '
'Monero (XMR)'],
'entry_point': ['third-party contractor compromise'],
'high_value_targets': ['Samsung Medison healthcare '
'data',
'MSSQL and AWS S3 access']},
'investigation_status': ['under verification by Samsung',
'screenshots analyzed by Hackread.com'],
'motivation': ['financial gain', 'data sale on dark web'],
'post_incident_analysis': {'root_causes': ['third-party security '
'vulnerabilities',
'potential credential '
'mismanagement']},
'references': [{'date_accessed': '2025-11-13', 'source': 'Hackread.com'}],
'regulatory_compliance': {'regulations_violated': ['potential GDPR (if EU '
'citizen data involved)',
'potential HIPAA (if US '
'healthcare data involved)',
'South Korean PIPA '
'(Personal Information '
'Protection Act)']},
'response': {'communication_strategy': ['Samsung contacted for comment (via '
'Hackread.com)']},
'threat_actor': {'alias': '888',
'history': ['Breach Forums (historical activity)',
'July 2024: Leaked employee records from '
'Microsoft and Nokia'],
'motivation': ['financial gain', 'data monetization']},
'title': 'Alleged Samsung Medison Data Breach via Third-Party Contractor',
'type': ['data breach',
'third-party compromise',
'credential theft',
'unauthorized access']}