That’s how long it took for Apple to make a statement regarding arguably the most highly-publicized breach in the history of mobile phones.
On Sunday, several intimate photos of celebrities were published on the Internet — photos that were taken in the privacy of their homes. The online accounts of actors, musicians, and even a well-known baseball player had allegedly been hacked, leaving many to speculate whether there was a fissure in the Apple iCloud.
This was big, and Apple needed to step up immediately. But the company, which is about to release the newest version of the extremely popular iPhone, remained tight-lipped until Tuesday, when a statement confirmed that “certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” The software giant was quick to skirt the blame, adding that none of the cases that were investigated “resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
It went on to advise that if you want to protect against these types of attacks, you should “always use a strong password and enable two-step verification.”
In other words, it’s not their fault. The statement may as well have read, “We’re super sorry that any remaining shreds of privacy and dignity you may have had are now gone, but you really should’ve had a 27-digit password.”
Okay, so maybe that’s a slight exaggeration. But what Apple is saying, according to TechCrunch, is that although certain iCloud accounts may have been accessed, “that didn’t happen as a result of any systematic flaw in Apple’s security systems or cloud services. Instead, the techniques used to access the accounts in questions were the same that make any online accounts vulnerable; those include researching biographical details of a target to guess passwords and answers to security questions, and possibly running through multiple options until you find the right one.”
So if a hacker knows an awful lot about a celebrity, he or she can keep plugging away at security questions, using each failure as a chance to crack the code. Perhaps it’s time for a company as innovative as Apple to find a more secure alternative to using password reset questions, particularly since the new iPhone will enable users to collect and share health-related data and even pay for items using credit cards stored on iTunes, according to the Wall Street Journal.
And in the meantime, the company could use a course in crisis communication, or at least heed the advice given at during a presentation at last year’s CHIME Fall Forum, where Sutter Health CIO Jon Manis urged his colleagues to “get out in front of a crisis.” Jim Veline, CIO at Avera Health, talked about implementing an action plan before an event happens.
In this case, it appears Apple didn’t have an action plan even after an event happened — and if they did, it was poorly executed. Not exactly a vote of confidence for the company that’s handling the data of millions of people.
They had better make some changes before their reputation starts to rot. If they don’t, forget about trusting them with your health information, you might not even let them keep your playlist.