While the hacking of Jennifer Lawrence, Kate Upton, and other celebrities' iCloud accounts has produced endless commentary, there's a big issue that IT professionals should be paying attention to: what exactly counts as a data breach?
According to a report on NPR, while Apple has insisted that it should not be blamed, IT security experts argued that the company is at fault because weak default iCloud settings (among other factors) provided just enough wiggle room for hackers to find a way into the private lives of celebrities.
Potentially, millions of dollars are at stake, as Apple could be sued for negligence if its security practices weren't up to snuff. But before we talk about the company's IT liability, let’s look at exactly how Apple got hacked.
Bad Apples: What IT Consultants Can Learn from the iCloud Hack
While Apple has a solid reputation for data security, it appears that the company botched some aspects of their cloud security. Hackers were able to work their way into iCloud because…
- Find My iPhone service lets hackers repeatedly try new password / login combinations. Usually, account security will block login requests after a user fails three or more attempts. However, as Consumerist reports, Apple's Find My iPhone service didn't have this security protection. Hackers could try over and over until they got the right combination.
- Accounts did not have two-factor authentication. While Apple offers this, it isn't the default setting and isn't immediately apparent how to turn it on. Analysts have criticized that Apple made this option too difficult to find and enable.
- Pictures and data stay on the cloud even after they have been deleted. Mary Elizabeth Winstead said that she deleted her pictures, yet hackers were able to access them. Many cloud storage sites keep data that was deleted off devices until users take extra steps to delete it from the cloud itself.
Is the combination of these three practices enough for Apple to be sued? Absolutely. In fact, situations like this – where it's difficult to know who's to blame – are precisely the kind of cases that can lead to long, expensive lawsuits.
Apple blames the hackers. Celebrities blame Apple. An argument can easily be made that because Apple didn't block repeated login attempts, it opened the door for hackers to strong arm their way into celebrity accounts. That could be enough for a judge to hold Apple at least partially liable.
The iCloud security breach is an important reminder that – as a tech professional – you can be sued for not putting standard security procedures in place. (For information about covering your IT liability, read about Errors and Omissions Insurance.)
The Takeaway: How to Avoid Cloud Data Breaches
What can you learn from Apple's mistakes? For an IT consultant, there are two big takeaways:
- You could face a lawsuit if you didn't do enough to prevent a breach.
- You need to make sure your users know how to use a platform securely.
Part of your responsibility (and part of your risk management) will have to include educating your clients so that they understand the risks and security features of their IT. A successful data breach prevention strategy will involve teaching your clients…
- How to use their IT solutions securely.
- What pitfalls to avoid (spear phishing emails, malvertising, etc.).
- What security settings they need to keep in place.
- Details about what data is stored on the cloud and how long it stays there.
The knowledge gap between consultant and client can be especially troubling with cloud services. It's not always obvious what data is stored on the cloud, how long it's there, and what can be done about it. As more data moves to the cloud, make sure your clients understand the risks involved and that you've taken adequate steps to secure their data.
To learn more about client education techniques, read the post, “Client Education Resources for Fighting Data Breaches.”