Famous film stars, data breaches and why CEOs should be worried
So the latest not-so-surprising story concerning data breaches is that, in addition to containing pictures of ladies in underwear and pictures of famous film stars, the internet also contains pictures of famous film stars in their underwear.
I don’t mean to trivialise the impact of private pictures splashed all over the web. It’s clearly unpleasant, morally indefensible and probably illegal, but plenty of others have discussed the data breaches themselves at length. At Idax we are more interested in the lessons to be learned about the breaches of internal security rather than speculating on external threats.
When the story broke, commentators focused on the “how”. The favoured theory was an evil genius who hacked into the main iCloud computer. Presumably someone halfway between Kim Dotcom and Ernst Stavro Blofeld working from an evil lair in a hollowed out volcano. I have little experience of evil hacker geniuses, but if they exist, I suspect they are more motivated to steal credit card details from the many than private pictures from the few.
The second theory was that our protagonists had guessed or otherwise obtained the email addresses and passwords for iCloud accounts – a “phishing” attack. Given that a lot of celebrity details are in the public domain and most people are chronically bad at setting passwords, this is pretty credible. Spoiler alert: When asked for your date of birth you don’t have to use your real date of birth; the one that’s also on your Facebook page.
But let’s suppose for a moment that there was no evil genius and no phishing attack, how else might the caper have been done. Simple as it may sound, I’d get myself a job as an iCloud database administrator and then wait until I could steal the pictures.
Now I have no inside knowledge of what goes on at Apple and my approach may sound too obvious. Apple may be the exemplar of corporate governance and security as they are in many other things. But at Idax our experience is that the corporation is nowhere near as secure as your CEO would like to think, and data breaches mostly occur when staff routinely have access to resources that have nothing to do with their job and are either historical or just plain wrong. In a corporation of any size keeping track of access rights is a major headache.
In this context coercion, collusion and avarice are great motivators, especially when the disgruntled developer routinely has uncontrolled access to production data.
So, we may never find out how the images got onto the web and only a cynic would point out that it’s in everyone’s interest to perpetuate the story of the complex con, rather than the corporate cock up. But clearly protecting your corporate data from both internal and external threats has to be a priority for all organisations.
I’ll leave you with a last thought. Under EU data protection legislation a company can be fined up to 10% of global revenue for losing personal data. So if it’s conceivable that you might lose all your customer files if a laptop was inadvertently left a train or a DBA sent a file to his home email, maybe you should look into how you manage internal identity management.
Mark Rodbert is CEO of Idax Software, the identity management analytics company.