There is speculation that Apple experienced a data breach in 2018 that they kept hidden from the public. It is generally encouraged for companies to be transparent about data breaches so that users understand what has a happened to their data, and understand any steps they need to take to mitigate the problem.
The laws surrounding the declaration of breaches vary between countries. The EU’s General Data Protection Regulation (GDPR) has a 72-hour window in which the company needs to notify regulators of the breach. If the company fails to do this, they can face a severe penalty.
2018 had many high profile data breaches in which companies declared the breach.
Notable Data Breaches of 2018
- In September, Facebook experienced the biggest data breach in its history when hackers exploited a zero-day vulnerability in its “view as” feature. This allowed 30 million access tokens to be stolen.
- Aadhaar, India’s government ID database was hacked in March. The database contained ID on every Indian citizen, including unique 12 digit identity numbers, and in some cases biometrics like fingerprints and iris scans. It housed the data of 1.1 billion citizens.
- Marriott Starwood hotels announced that between 2014 and September 2018, hackers had accessed a reservation database that containing records on 500 million customers.
- In March MyFitnessPal announced that hackers had stolen the data of 150 million of its users. The data stolen included usernames, email addresses, and encrypted passwords.
- Quora announced that hackers stole up to 100 million users’ data, including names, email addresses, encrypted passwords and data from linked accounts.
- Google + announced it was closing its Social Media platform as a hack that exposed 52.5 million users’ data.
It has now been alleged that Apple experienced a data breach late last year. Security researcher Melih Sevim contacted hacking news website My Hacker News to draw attention to a security flaw he discovered. The flaw allows him to view some data from random iCloud accounts and targeted iCloud users by knowing their phone number. This data includes being able to view the “notes” app.
I discovered that when there is an active data transfer between the user and Apple servers if I open my (attacker’s) iCloud account, there is a possibility to view some random data on every refresh due to the bug,
Melih reported the issue to Apple in October 2018, shortly after he discovered it. The flaw was patched in November 2018. Apple responded to Melih’s announcement by claiming they had already addressed the issue before it received the details from him.
The issue arose because of the way Apple had internally linked a user’s phone number saved in their billing information for iCloud, and a device using the same number.
“Let suppose, if email@example.com’s mobile number is 12345 and when I enter 12345 mobile number to my firstname.lastname@example.org Apple ID account, I could see abc’s data on xyz’s account,” Melih said.
When asked for comment Apple simply responded that the issue was resolved in November, but they didn’t address how long the flaw had been there, or if they believe it was exploited by hackers.