MyPillow is listed as a vulnerable site for ransomware gangs, but denies it has been breached.
The Play ransomware gang claims to have stolen data from US pillow manufacturer MyPillow, with sensitive and confidential personal data.
The claim, which appeared on Play’s black web leak site earlier this week, threatens that an unspecified amount of data will be released on Friday, possibly revealing “private and confidential personal data, customers and other. documents, budgets, salary, IDs, taxes, financial information.”
However, since Straight Arrow Newswhich first reported details of the alleged ransomware attack, the pillow maker’s high-profile CEO Mike Lindell has dismissed claims that any security breach occurred at all.
Lindell – who is a prominent supporter of US President Donald Trump who currently wants to be elected governor of his home state, Minnesota, United States. Straight Arrow News that he did not know that there were allegations made about the alleged attack on his company until he was contacted by the media.
In addition, Lindell says that the claims made about the ransomware attacks are politically motivated:
“This is another project that has been hacked by external sources because I ran for the position of governor. I can assure you. We do not have any breach of our data.”
Lindell went on to say that his company has yet to receive any ransomware demands, and that the company does not store sensitive data internally, relying on third parties instead.
Whether MyPillow has actually been hacked, at the time of writing, is not confirmed. The company denies being hit, and the Play ransomware gang claims otherwise.
The truth will likely emerge soon, as the payment deadline listed by Play on its leak portal is reached tomorrow. If the deadline passes, the data will appear or it will not appear. And if it doesn’t show up, then chances are the attackers either don’t have MyPillow data at all, or they’ve been given a strong (often financial) incentive not to release it after all.
What would be wrong, however, is for MyPillow to think that saying “we don’t store sensitive data on our systems” provides a strong defense. That’s because it tells you where the data resides, not whether it’s safe.
Modern businesses provide customer records, payments, and financial information to a variety of third parties – payment processors, fulfillment partners, HR and payroll providers, CRM and email platforms, cloud hosts. Each of those systems can be breached, and attacks are increasingly targeting such providers because a single hack can expose multiple organizations’ data.
And from the perspective of the people whose data may be at risk – such as customers, employees, and business partners – the difference is learning.
If your name, address, payment information, or tax information ends up in a ransomware gang’s leak, it makes little practical difference whether it’s taken from MyPillow’s servers or from a contractor you represent.
Outsourcing the storage and processing of data does not mean that your business reputation will not be damaged in the event of a security breach, nor does it mean that the consequences for the affected individuals will be less severe.
We’ll soon know whether the Friday payment deadline from the Play ransomware team brings a data dump or a quiet anticlimax. One thing is for sure – ransomware gangs target anyone they think will pay, and strong defenses are a must for all organizations.
