This 2016 story found many more people experiencing the same thing -- and has comments from more people who've had the same problem over the last two years.

http://www.10zenmonkeys.com/2016/01/04/dell-computers-has-be...

It suggests another possibility: that scammers are simply getting hired BY Dell, and then supplementing their hourly wage by trying to con Dell's customers out of hundreds of dollars more.

> that scammers are simply getting hired BY Dell, and then supplementing their hourly wage by trying to con Dell's customers out of hundreds of dollars more.

This, I've bought Dells in the past and one Indian based sales rep charged my payment card for an additional amount, I wonder if they expected me to not spot the extra charge but the card company refunded it. Thing is people deal with call centres so its easier as a criminal to join a large multinational company and operate from within as we assume big companies know what they are doing. Other problem is Intel Vpro/AMT is supplied in a lot of Dell equipment and its switched on by default. Even now, despite it being disabled, its not disabled as its 169992 port is showing up in ipv6 port scans. Intel really have created a hackers paradise with vPro/AMT.

Likely by design.

This has been going on for a while. Dell's customer service records were stolen. I thought this was fairly well known.

Did not know that. Googling it, it doesn't look small. Makes me realize that I miss the days when I could slap together a PC myself with parts I bought myself. Really too bad we can't do that with laptops.

You should look into barebone laptops.

Scammers have had access to Dell's customer service databases for upwards of like 3 years. I get the calls periodically and once spoke with someone from Dell's security dept. about it. It's not clear whether the databases are current or outdated, though, and it's not clear how they got them. It's definitely not as narrow as 'data from Windows based suport software' or anything, because in my case I get calls from "dell support" claiming my 4k monitor has a virus. They seem to have a full support registry (my monitor is in the database because I had to RMA it).

Sadly the nature of telecom security in the US means it's very hard to actually trace it back to them - the caller ID is always forged. As far as I know from speaking to Dell security staff they can't do anything without an unmasked number. If you get a call from the scammers try to get them to give you a callback number, because if it works it can be subpoenaed!

These are Indian (and other) call center employees who contract as support for Dell (and others) during the day and then use their access and company data after hours for some extra buck.

It has been going on for years, there was even an interview with one of these guys published - basically they do it because they would be stupid not to. It is essentially free money and the chances of getting caught are tiny. And even then the worst that will happen is that you get fired - and promptly re-hired by another call center operator.

This is very much Dell's fault for outsourcing English-speaking (it is not a problem for other languages because it is much harder to find e.g. French or German speakers in those cheap labor countries) to the lowest bidder in India and elsewhere.

It does happen in the west as well I remember being briefed about a BT call centre where crims would hang out in a nearby underpass and try and get staff to get information.

I did joke with my opposite number in Cellnet (o2) who was ex 2 Para and in the Territorial SAS about taking direct action :-)

So either Dell got hacked and they didn't notice, or they got hacked and didn't report it... Nice

There is no legal requirement in many countries for a company to report it has been hacked and even if there were, if they dont spot the hack how can they report it? See No Evil, Hear No Evil, Speak No Evil, problem solved. Beside with so many global businesses employing the best from around the world, how do these companies know they are not employing spooks with excellent fabricated grades? It might explain how Microsofts Win10 source code their crown jewels, was leaked online.

GPDR or whatever it's called requires it. So pretty much the entirety of the EU... Or companies with offices in the EU ... So if you're an EU citizen, you should have been notified by law.

Had this happen to me a few years back as well: https://b3n.org/dell-hacked-watch-out-for-social-engineering... so far Dell wasn't sent any communication my way to indicate they've been hacked.

I'm guessing that these customers are running Windows. And very likely as delivered by Dell. Might Dell have bundled a service that provides support information to Dell tech support? And might the scammers be exploiting that service, perhaps through an authentication weakness, without any customer data taken directly from Dell?

They outsource their tech support to the lowest bidder, mostly in difficult to monitor overseas offices. I'd say the most likely scenario is that underpaid Dell employees are just using their official access to do the scams or pass the information along to outside scammers.

I received the first call after I had a hardware issue with my laptop serviced on site. The service guy was just a random contractor, so when the call happened my immediate thought was "ah, somebody like that dude just vacuumed up all the customer data." Because, you know, big companies are really great at building secure internal software when chasing the cheapest dollar. </s>

I'm confident in this being the issue as I've dealt with support on multiple Dell service tags, and the only service tag the scammers know involved having to communicate with a different department than I usually have.

OK, that makes sense.

One person in the Ars Technica comment thread says they manage a lot of these machines in an enterprise environment, so surely they would be running clean Windows without any extra crapware, ruling out this possibility.

OK, thanks. But what's "crapware" to some may be features to others. Such as the remote-management clown parade.

I thought there were laws now requiring a declaration to the FTC of this kind of information loss, with penalties?

Isn't the typical "penalty" a year of free credit monitoring offered to the customer? (as if that does anything...you're stuck with most Personally-Identifying-Information for life and now it is already in the wild...)

Yes, been reported for years, I've been on the receiving end of such a call, and they knew the service tag of the computer.

Could it be that a reseller of Dell has been hacked someone stole the database and the data leak contains Service Tags, serial numbers?

It sounds like it could be either a data leak or a software security bug. This is just guesses.

I own a Dell Laptop and I've experienced this same phone call at least a dozen times. Its always someone with a thick indian accent as well.

They tell me my computer is compromised. It happened most frequently during news of Meltdown and Spectre, probably hoping to use predatory tactics on people who don't know any better.

I asked them to validate the information. They had my serial tag number, my purchase date, the model, my address, my fullname last name, etc. I bought this unit from bestbuy, I don't ever actually remember entering this information in. It might have been the dell bloatware installed on the PC, or information bestbuy gave to dell. This was 2013, I've gotten over dozens of phone calls since then

I remember distinctly playing the con-man and really seeing how much information they wanted. It was always "Sir, let me help you fix your computer its urgent your computer is h4ck3d". I never gave them access to my computer, but I did do one screensharing session out of sheer curiosity. He would have a convincing story about telling me to go to the event manager, point at some random unrelated item, tell me how come I've never noticed that before and spin a convincing story about my computer being compromised. He would have me run some basic terminal commands, I can't recall which ones, but it involved things like ipconfig among other things. Then we would go on some DNS tracing tools online, some were actually legitimate I checked the domain name on my other computer while this session was live.

I pretended to be gullible and naive so he would take the bait. I was brought to some scam site. I can't remember anymore what it was. But it was like a marketing ad agency, except it was clearly poorly designed with UX clearly designed by someone overseas (with proper ingrammer and such), and they sold prepaid hourly packages for "tech support" whatever that meant. Probably, it was actual overly priced tech support with blackmailing mixed on the side, and selling it to black data markets for creditcard theft. I didn't risk it venturing further

I have another whole story unrelated to this as well from company checks scams & Nigerian Princes that I personally experienced

I just ask them one simple question. Please email me an official confirmation via "yourname@dell.com" to validate everything stated on this phonecall. They never did. That's how I validate all phony calls, but normally I just hang up and look for the direct number on the official dell website.

I strongly considered running a Lenny anti-telemarketing chatbot, but I ended up just installing an app called "Should I answer?" to determine legitimacy of calls. Now I just straight don't answer calls I don't recognize anymore, I always make an effort to add contact information of people I care about. Calls can be spoofed for local numbers, and I have a voicemail. If it was important, a voicemail would be left.

Controversally, I find the data market to be interesting. I keep track of which companies have sold my data where, via something akin to honeypots using specific appended email addresses. There's a good reddit article here https://www.reddit.com/r/LifeProTips/comments/45k8f7/lpt_whe... , it doesn't work all the time but I have different email addresses for different purposes now.