Lessons from the iCloud Celebrity Hack

The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.

Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system. In a press release on Tuesday, Apple denied that the hacking stemmed from “any breach in any of Apple’s systems,” and pointed to “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.”

Apple’s statement raises important points about data security, for celebrities and non-celebrities, as well as for businesses that use the cloud. In the age of ubiquitous social media, portable devices and cheap cloud storage, at home and in the workplace, we all must choose user names, passwords, security questions and other authentication methods judiciously. Many common security questions elicit information that may be easy for others to answer if they simply look hard enough. (For public figures with lengthy Wikipedia pages, using a security question about the name of his/her school is a bad idea, but the same concerns exist for ordinary Facebook users.)

It may take time for the FBI to discover exactly what happened in this particular case, but regardless of the outcome of that investigation, it is important to bear in mind that any security system can be defeated. Hackers continue to get more inventive, and new technological innovations are developed that provide users with convenience, but that can also make users more vulnerable. This does not mean we should shrink from technology, but rather that we should be more vigilant in protecting our data and also be prepared to address data breaches when they happen. (Empathy for those affected is a good idea, too, since all of us will likely be victims at some time or another.)

What lessons beyond empathy can be taken from this event?  First, when choosing user names and passwords, avoid the obvious. As this space has warned since 2010, brute-force hacking relies upon utilizing a computer program to try password combinations over and over until the right match is found. Choosing passwords with an obvious feature – a last name or alma mater or birth date, for instance – cuts down the potential universe of passwords, making a hacker’s task much easier.  Consider using a password manager, maintain different passwords for different accounts, and change your passwords often.  If you store data in the cloud, use reputable vendors (and check their security), minimize what you store online, and cull old records regularly and systematically.  Systems are only as good as the humans that run them.

Leave a Reply

Your email address will not be published. Required fields are marked *