Apple and MIT jointly published a study on cloud storage data breaches
Today (8 December 2023), Apple announced the publication of an independent study on cloud data breaches and their related threats to personal data around the world.
Titled “The Continued Threat to Personal Data: Key Factors Behind The 2023 Increase”, Apple commissioned this study, but it was independently conducted by Dr. Stuart Madnick, a professor from the Massachusetts Institute of Technology (MIT).
This 2023 study is a follow-up to an existing Apple-commissioned study published last year, which was also focused on data breaches in the cloud. The new study also makes comparisons between the previous year and this year.
Spoiler alert: it did not get better for everyone else. About 80% of data breaches in 2023 involve data stored in the cloud, with this year’s first three quarters seeing nearly double the ransomware attacks (versus the same period last year).
What you don’t hear is that 360 million breached users were victims because of data breaches that happened to corporations and institutions. This means that it’s not your fault (sometimes) because it was a popular hotel chain or a national healthcare system that failed to protect your personal details.
How do cyber attackers breach personal details stored on the cloud?
Below are some key takeaways from Apple’s new study.
Nearly 50% more organisations experienced a ransomware attack in H1 2023 than in H1 2022. While these “ransomware gangs” (organised crime groups that hold data hostage) are not new, their methods have evolved.
Previously, ransomware attacks “lock up” an organisation’s data until the ransom is paid. This typically involved crippling the organisation’s ability to operate.
The new method takes it further with “double extortion”: even if the ransom is paid and the company regains control, the attackers can request an additional ransom with the threat to publish stolen data on the dark web. Even so, the attackers can still proceed to leak stolen data after multiple ransoms were paid.
Ransomware gangs also employ “dual ransomware” approaches, where the syndicate would experiment with multiple ransomware variants quickly (mainly to see which variants work).
Perhaps the most pressing issue is “vendor exploitation” — where attackers do not directly target the company but instead target their vendors (service providers) because of their privileged access to their business customers.
Apple’s study gave multiple file-sharing sites as examples where the breach of a file-sharing site means getting access to corporates and institutions. The study also asserted that vendors tended to have weaker cybersecurity postures due to a lack of resources or security talent. The paper also added that 98% of organisations have business relationships with a vendor with a data breach within the last two years.
Apple also compiled a list of major cloud data breaches in 2023 that relied on these popular attack vectors. While the list published significant hacking events worldwide, attacks in Asia Pacific included examples like Toyota (cloud misconfiguration), Sphero (corporate ransomware), the Immigration Directorate General of Indonesia (corporate ransomware), and Latitude Financial (vendor exploitation).
To read the study in full, you can find it on Apple’s website.
What can be done to mitigate data breaches?
Apple (being Apple) can only recommend steps within their control. One is opt-in to more secure versions of cloud security, such as using Apple’s Advanced Data Protection for iCloud (another layer on top of existing Standard Encryption).
Unlike standard encryption, Advanced Data Protection for iCloud (which is free and has been around for a year) offers end-to-end encryption at the highest possible level, but with a caveat: the user has to create recovery keys themselves, or assign another trusted Apple user as a recovery contact, since even Apple wouldn’t have the keys to decrypt your personal data.
Currently, Advanced Data Protection for iCloud is the default setting in 14 data categories on an Apple device (which includes Passwords & Keychains, Home data, Siri info, Health data, Screen Time data, Maps data, Memojis, etc.). However, it’s not entirely default for your whole iPhone — enabling it would extend that protection to 23 data categories.
Given its extreme security posture and setup required, it’s not surprising that Apple users typically miss this step when they get a new iPhone.
To enable it, you can find it under the Settings app by tapping on your Apple ID (the very first tab). In it sits the iCloudsub-menu, where Advanced Data Protection is available as a toggle at the bottom of the screen.
< PrevPage 1 of 1 – Apple and MIT jointly published a study on cloud storage data breachesPage 1 of 1 – Apple and MIT jointly published a study on cloud storage data breachesPage 1 of 1 Page 1 of 1 – Apple and MIT jointly published a study on cloud storage data breachesNext >