Incident Types: The types of cybersecurity incidents that have occurred include Breach, Ransomware and Vulnerability.

Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with customers of western digital are advised to exercise caution when responding to unsolicited mailings that request personal information from them or direct them to a website that does the same. customers are advised against opening attachments or clicking on links in shady communications., and third party assistance with forensic and security specialists, and and containment measures with stopped a number of its services, and communication strategy with notifying customers through letters, and and third party assistance with vulnerability privately reported by a researcher, and containment measures with firmware update (v5.31.108) released to patch vulnerability, and remediation measures with urgent advisory for users to update firmware; automatic updates enabled for connected devices, and communication strategy with public advisory, firmware update notifications, email alerts for subscribers, and and third party assistance with security researcher 'w1th0ut' (vulnerability reporter), and containment measures with firmware update (5.31.108), containment measures with recommendation to take devices offline if unpatched, and remediation measures with patching vulnerable endpoints, remediation measures with disabling remote access until patched, and recovery measures with manual update instructions provided, recovery measures with automatic updates enabled since 2025-09-23, and communication strategy with public security advisory, communication strategy with update instructions for manual patching..

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Firmware UI (OS command injection via HTTP POST request) and Vulnerable HTTP POST endpoints in My Cloud UI.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer Names, Shipping And Billing Addresses, Phone Numbers, Email Addresses, Hashed Or Salted Passwords, Partial Credit Card Details, , Sensitive personal information, Potential: All Data Stored On Affected Nas Devices (Documents, Backups, Project Files, Etc.), , Potential: Stored Files (Personal/Cloud Data), User Credentials, Configuration Data and .

Third-Party Assistance: The company involves third-party assistance in incident response through Forensic and security specialists, Vulnerability privately reported by a researcher, , Security researcher 'w1th0ut' (vulnerability reporter), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Urgent advisory for users to update firmware; automatic updates enabled for connected devices, , Patching vulnerable endpoints, Disabling remote access until patched, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by stopped a number of its services, firmware update (v5.31.108) released to patch vulnerability, , firmware update (5.31.108), recommendation to take devices offline if unpatched and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Manual update instructions provided, Automatic updates enabled since 2025-09-23, .

Key Lessons Learned: The key lessons learned from past incidents are Proactive vulnerability disclosure and rapid patching are critical for IoT/NAS devices, which often store sensitive data and can serve as entry points for broader network compromises. Automatic firmware updates can significantly reduce exposure windows.Critical importance of timely patching for consumer-facing IoT/NAS devices,Need for clear end-of-support (EoS) mitigation strategies,Risks of remote command execution in network-attached storage systems.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Western Digital, and Source: Western Digital Security Advisory, and Source: Western Digital Security Advisory, and Source: Firmware Update Instructions, and Source: Manual Update Firmware Downloads.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customers of Western Digital are advised to exercise caution when responding to unsolicited mailings that request personal information from them or direct them to a website that does the same. Customers are advised against opening attachments or clicking on links in shady communications., Notifying customers through letters, Public Advisory, Firmware Update Notifications, Email Alerts For Subscribers, Public Security Advisory and Update Instructions For Manual Patching.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Customers of Western Digital are advised to exercise caution when responding to unsolicited mailings that request personal information from them or direct them to a website that does the same. Customers are advised against opening attachments or clicking on links in shady communications., Notifying customers through letters, Public Advisory Issued; Firmware Update Notifications Sent To Users, Users Urged To Update Firmware Via Notifications And Public Communications, , Public advisory issued with patching instructions and Users notified via device updates and public channels.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Forensic and security specialists, Vulnerability Privately Reported By A Researcher, , Security Researcher 'W1Th0Ut' (Vulnerability Reporter), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Released Patched Firmware (V5.31.108) To Address The Vulnerability, , Released Firmware Patch (5.31.108) For Supported Devices, Public Disclosure And Patching Instructions, Recommendation To Isolate Or Replace Eos Devices, .

Last Attacking Group: The attacking group in the last incident was an Unauthorized individual.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-23.

Most Recent Incident Resolved: The most recent incident resolved was on 2024-09-23.

Most Significant Data Compromised: The most significant data compromised in an incident were Customer names, Shipping and billing addresses, Phone numbers, Email addresses, Hashed or salted passwords, Partial credit card details, , Sensitive personal information, Potential full access to stored data (if exploited), , Potential unauthorized file access, Modification, Deletion, User enumeration and .

Most Significant System Affected: The most significant system affected in an incident was My CloudMy Cloud HomeMy Cloud Home DuoMy Cloud OS5SanDisk ibiSanDisk Ixpand Wireless Charger and My Cloud PR2100My Cloud PR4100My Cloud EX2 UltraMy Cloud EX4100My Cloud Mirror Gen 2My Cloud EX2100My Cloud DL2100My Cloud DL4100My Cloud WDBCTLxxxxxx-10 and My Cloud PR2100My Cloud PR4100My Cloud EX4100My Cloud EX2 UltraMy Cloud Mirror Gen 2My Cloud DL2100My Cloud EX2100My Cloud DL4100My Cloud WDBCTLxxxxxx-10.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Forensic and security specialists, vulnerability privately reported by a researcher, , security researcher 'w1th0ut' (vulnerability reporter), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Stopped a number of its services, Firmware update (v5.31.108) released to patch vulnerability and Firmware update (5.31.108)Recommendation to take devices offline if unpatched.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Email addresses, Hashed or salted passwords, Potential unauthorized file access, Partial credit card details, Deletion, User enumeration, Customer names, Modification, Shipping and billing addresses, Potential full access to stored data (if exploited), Sensitive personal information and Phone numbers.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Risks of remote command execution in network-attached storage systems.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Consider replacing end-of-support (EoS) devices (DL2100, DL4100), Monitor for unauthorized access or suspicious activity, Isolate NAS devices on separate network segments to limit lateral movement risk., Enable automatic firmware updates where possible., Monitor for unusual access patterns or unauthorized commands on NAS devices., Disable remote access if patching is delayed, Enable automatic updates for future vulnerabilities, Immediately update My Cloud NAS devices to firmware 5.31.108, Regularly audit stored data sensitivity and implement backup strategies to mitigate ransomware risks., Immediately update My Cloud NAS devices to firmware v5.31.108 or later. and Take unpatched devices offline to prevent exploitation.

Most Recent Source: The most recent source of information about an incident are Firmware Update Instructions, Manual Update Firmware Downloads, Western Digital and Western Digital Security Advisory.

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Public advisory issued; firmware update notifications sent to users, Public advisory issued with patching instructions, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Customers of Western Digital are advised to exercise caution when responding to unsolicited mailings that request personal information from them or direct them to a website that does the same. Customers are advised against opening attachments or clicking on links in shady communications., Notifying customers through letters, Users urged to update firmware via notifications and public communications and Users notified via device updates and public channels.

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Vulnerable HTTP POST endpoints in My Cloud UI.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was OS command injection vulnerability in firmware UI due to insufficient input validation, OS command injection vulnerability in user interfaceInsufficient input validation for HTTP POST requestsLack of mitigation for end-of-support (EoS) devices.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Released patched firmware (v5.31.108) to address the vulnerability, Released firmware patch (5.31.108) for supported devicesPublic disclosure and patching instructionsRecommendation to isolate or replace EoS devices.