How do you rate Apple’s incident response in this situation?
Apple disclosed yesterday that its developers website had been temporarily taken down after being ‘hacked’ last Thursday. After three days of suggesting that the developer.apple.com site was down for maintenance Apple later sent an email to developers on Sunday saying that,
“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”
What I find interesting here is that Apple mention ‘the spirit of transparency’ in their email despite the fact that it took them three days to advise third party developers that personal information may have been accessed.
Furthermore, it appears that the ‘hack’ in question may not have been quite as it first seemed. A Turkish security researcher, Ibrahim Balic, certainly claims otherwise.
Balic, who claims that he is hired to discover security vulnerabilities in company’s systems, says that he recently found 13 bugs in Apple’s systems. It is one of these bugs, according to Balic, that allowed him to access data for over 100,000 people on the developer site.
Balic suggests that he attempted ‘responsible’ disclosure by forwarding the details to Apple via their online bug reporting form but –
“4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked.”
Now whether or not Balic’s actions were indeed responsible are, of course, debatable as it certainly appears that he did not have Apple’s permission to gain access to user data. But is Apple’s description of an ‘intruder’ in their system the most apt description? I’m not sure that it is.
Whatever has actually happened here I can’t help but think that Apple haven’t dealt with the situation as well as they may have done.
If a company discovers that a security issue has led to a data breach then they have an opportunity to address that by issuing a timely and accurate response so that their customers can assess what has happened and what action, if any, that they may need to take. For instance, should email addresses be leaked, then users may be at very high risk of receiving socially engineered phishing messages which could then lead them to divulge further sensitive information. If, on the other hand, they have already been made aware that their personal details may be in the wild then they would be forearmed and forewarned and would be much more alert to such a ruse.
With that in mind what measures has your business taken to ensure, firstly, that customer data remains as secure as possible and, secondly, do you have an incident response planned in advance should the worst happen?