Over the years, there have been many times when I’ve heard the phrases “I’m not worried about security” or “I trust” followed by “Facebook,” “Microsoft,” “Amazon,” “Google,” “Apple,” or any number of other large companies that hold on to a large amount of customer data. This article, written by Gizmodo’s Mat Honlan, should give anyone who trusts their security to another company second thoughts. In the article, Honlan explains that his account was hacked by some clever social engineering against Apple technical support. Apparently the attacker was able to convince an Apple support member to grant him access to Honlan’s account after successfully posing as the journalist. After doing so, the attacker proceeded to systematically use Apple’s built in tools to wipe out Honlan’s iPhone, iPad, and MacBook computers, as well as take control of his Google and Twitter accounts. Essentially, Honlan was kicked off the Internet for some time.
Normally this is where I would hop onto the soapbox and preach stronger security measures to end-users, like passwords, two-factor encryption, etc. but that would not have done Honlan any good in this case, as the attackers attacked his service provider, Apple, in this case. In this case, it’s Apple who needs to do a better job to ensure this sort of problem doesn’t happen again.
To those of you who handle customer data, however, the very strong lesson to be learned remains. Do any of your customers entrust their personal, private, confidential information to you? If so, how do you safeguard it against these attacks? Now is a great time for a review of your security policies and even a penetration test to see how well they hold up under attack.