Apple’s intended September surprise got off to a bad start after a company insider leaked out almost everything there is to know about the company’s anniversary edition iPhone.
The Apple leak fiasco reminds us how mighty technology firms, and the data they hold, continue to remain vulnerable to insider threat.
Apple is slated to celebrate the iPhone’s 10th birthday at a glittering ceremony at Steve Jobs Theatre this evening- an event that will be broadcasted across the globe to millions of Apple fans and interested onlookers. The main attraction at the event will be the iPhone X: a supposed technology marvel whose secrets weren’t supposed to be known until the launch ceremony.
However, as it turns out, there’ll be very little Tim Cook will get to say tonight that a lot of Apple fans wouldn’t already know. During the weekend, an Apple insider shared a list of secret URLs with 9to5Mac and MacRumors that contained details about the new iPhone, accessories and other features that the new devices would come with.
What did Apple lose?
The leaked documents contained some details about the new iPhone X, a new Apple Watch, new AirPod headphones, a new Emoji feature, new camera effects that will replicate DSLR results, and a new facial recognition software that may replace TouchID.
“As best I’ve been able to ascertain, these builds were available to download by anyone, but they were obscured by long, unguessable URLs. Someone within Apple leaked the list of URLs to 9to5Mac and MacRumors. I’m nearly certain this wasn’t a mistake, but rather a deliberate malicious act by a rogue Apple employee,” said tech blogger John Gruber in a blog post.
“Whoever did this is the least popular person in Cupertino. More surprises were spoiled by this leak than any leak in Apple history,” he added.
Deliberate or not, what this incident confirms is that valuable corporate data and trade secrets continue to remain vulnerable to insider access. It is unclear if Apple was aware about this particular employee’s access rights or if the company trusted that the employee wouldn’t leak anything that would damage the company’s credibility.
“There are lessons that all businesses – even giants like Apple – need to adhere to,” says Jason Allaway, VP UK and Ireland of RES now Ivanti.
“There are a variety of systems that can be put in place in order to help, but the most important thing is having technology that is contextually-aware. If your security systems can understand what positions and rights employees hold within the organisation, then issues can often be headed off before they cause any damage,” he adds.
A report released by security firm Bomgar on adherence to cyber-security protocols by company employees revealed that even though businesses are aware that employees may unintentionally mishandle sensitive data, fall victim to phishing e-mails or skirt security best practices to speed up productivity, only 37% of businesses have complete visibility into which employees have privileged access.
The report also added that that as many as 69% of employees stay logged on to either their laptop or company accounts after work hours, 57% send work files to their personal e-mail accounts, 46% tell colleagues their passwords, 53% use unsecured Wi-Fi to access online data and in the UK, only 44% of companies have reviewed their policies on third party access in the last two years.
Why couldn’t Apple stop the leak?
This leads us to wonder how seriously Apple’s cyber security teams and CISOs take the threat of unregulated insider access. There’s no way Apple would permit an employee to share restricted details with the media just days ahead of a launch ceremony. If Apple didn’t know why it happened, was it because Apple’s cyber security teams were lax in their approach or because the insider threat was a lot more serious than the company assumed?
“Often companies who have large labyrinths of information think that if they don’t give anyone access to the bigger picture – just parts of it – they will be safe. Not so; it’s incredibly easy to fit the pieces together. It’s a startling indication that even the biggest, most advanced companies in the world can be caught out by an employee that wishes to cause harm,” said Dr Jamie Graves, CEO of security firm ZoneFox to DIGIT.
Malicious insiders weave a complex web so it’s vital that companies ensure they have complete visibility into their data, who’s accessing it, where and if it is being diverted to anywhere it shouldn’t be, both stationary and in transit. Apple is aware of leaking within its organisation from a company culture perspective – now it needs to make sure it has the procedures and safeguards in place to avoid future incidents,” he added.