Not best practices: Apple’s iCloud is neither private nor secure

Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and other information is at peril if it is stored off-site on a remote web server such as Office365 or iCloud. The details are fascinating but the song remains the same as it has always been: caveat emptor when it comes to the world of processing information online.

A hacking group that calls itself the Turkish Crime Family alleges that it has gained remote access to more than 627 million iCloud accounts maintained on Apple’s servers. The group has threatened to delete all of the data maintained on those accounts, as well as data contained on the Apple desktop and mobile devices to which the accounts are connected. Turkish Crime Family has claimed on Twitter that the data will be deleted unless Apple pays a random by April 7, 2017. The amount of the random is either $75,000 US in Bitcoin or Ethereum blockchain currency or $100,000 US in iTunes gift cards.

Apple users whose email addresses contain the domains ‘icloud.com’ and ‘me.com’ are apparently at risk. The rogue hackers had posted a video on YouTube (ironically a Google company) that purportedly showed communications between the group and Apple. That video has been deleted, presumably at Apple’s insistence.

Notably, even iCloud accounts that utilize enhanced two-factor authentication are vulnerable. This casts a shadow over the entire concept of securing one’s data because most users do not utilize robust 2-F authentication. (This author strongly urges you to enable 2-F on all of your financial and sensitive accounts.

Apple has not made any public comment about this ransomware threat, presumably because Apple’s often-stated corporate policy is not to pay hostage fees. As a result, 624 million iCloud accounts could be deleted and worse, the computers and devices to which those accounts belong could be wiped clean on April 7th.

• Will this really happen? I do not want to be the guinea pig that finds the answer to this scary question. I do not believe that the Turkish Crime Family has anything to do with the country of Turkey despite its national flag being symbolized as an icon on its Twitter page. First, why would black hat hackers advertise their whereabouts? It is not credible. Second, several of the 28 Twitter accounts that @turkcrimefamily follows appear to belong to people with Turkish names. Using Google Translate, I found that those Twitter accounts are actually Turkish magazines and computer e-commerce sites.

  Although healthcare, education and financial services are the primary mandate industries that are legally required to secure data, in fact every business’ information are trade secrets that must be protected. Should data be stored on public databases like iCloud and Office365? The answer is: not if you want your information to be safe and sound.

  Otherwise your business can suffer a breach and all of its many repercussions including damage to one’s brand name and goodwill and the attendant expense of giving notification of the breach to every affected user, actual damages arising from the compromise of data, and loss of competitive advantage. Cyberliability insurance can help to mitigate the amount of money damages, but it is not avoidance. Businesses need to take affirmative steps to protect trade secrets, and using the cloud is not a good way to enter those heavenly gates.