On September 1, CNN Money announced that hackers had stolen more than 225,000 Apple accounts from iPhone customers, gaining access to sensitive, confidential information. The malware used for the theft, KeyRaider, is most commonly found in China but had spread to 18 countries, including the United States. Security firm Palo Alto Networks, who discovered the hack along with Chinese tech group WeipTech, referred to the attack as “the largest known Apple account theft caused by malware.”
The good news for prudent iPhone owners is that the malware only targets “jailbroken” iPhones. Jailbreaking is a technique whereby users take manufacturer-prohibited steps that enable them to access areas of their phones’ file systems that are normally access restricted by the manufacturer. Some users jailbreak their phones to install unauthorized software and/or make prohibited customizations.
On another front, bad news about the massive data breach of “social cheating” site Ashley Madison continues to roll in. In mid-August, after warning the company they would release the data if the site didn’t shut down, the hackers posted a 9.7 gigabyte data dump that allegedly included both intimate and confidential account details for some 32 million users, including seven years’ worth of credit card and other transaction details. Even data about individuals who had paid the service to delete their information was reportedly hacked and leaked.
The Ashley Madison event is of note because it exemplifies a fairly new type of hacking that can be incredibly damaging. In what we’ll call a “retribution hack,” one or more of the criminals in the effort had a grudge or other reason for wanting the site shut down, and they chose to punish its users along with the company. Now, anyone who downloads that data can use it for nefarious purposes.
These two episodes reinforce security experts’ assertions that no one is safe. Firms that allow employees unbridled access to mobile downloads, Internet sites and other potentially infected resources, or who allow users to store corporate data on inadequately secured personal or company devices, are putting their firms at extreme risk. Additionally, all companies must enact stringent security policies that prohibit jailbreaking and other dangerous activities on any device where company data resides.
From the corporate perspective, any company can become the target of a disgruntled employee, contractor or customer with deeply detrimental results, and some experts are conjecturing that attacks such as Ashley Madison’s may soon become more prevalent.
Corporate “secrets” are not really secret, at all. Firms must protect their proprietary assets and customer data with continually updated, managed security solutions that filter incoming and outgoing traffic — and can detect potential intrusion 24/7 – or they will eventually become victims. It’s simply a matter of when.
We wouldn’t be surprised if the first part of Ashley Madison’s slogan, “Life Is Short,” became its epitaph. We encourage business owners to take precautions to ensure they do not suffer the same fate.