‘Fight back’: inside Apple’s plan to stop hackers and shield customers from cyber crime
Australia is one of the top four countries for cyber attacks, with most businesses failing to encrypt sensitive data, according to Apple. Here’s what you need to know.
Australia is one of the top four countries for cyber attacks, with most businesses creating a honey pot for hackers by failing to encrypt sensitive customer data, according to Apple.
The tech behemoth commissioned a study from the Massachusetts Institute of Technology after it expanded its data-encryption practices significantly 12 months ago to “fight back” against hackers.
Despite the launch of Apple’s Advanced Data Protection for iCloud, the MIT study found cyber attacks have continued to soar. There were more data breaches in September this year than throughout 2022, according to the research.
In Australia, hackers have targeted Medibank, Optus, Latitude Financial and Australian Clinical Labs, exposing customers to identity theft and other financial crime after personal details – including health records, names and addresses – were published on the dark web.
This has ranked Australia among the top global destinations for hackers, behind the US, the UK and Canada.
MIT professor of information technology Stuart Madnick said companies storing sensitive data in a readable, non-encrypted form fuelled the ongoing risk of cyber attacks despite the best efforts of consumers to protect their own information.
“And as long as organisations keep collecting troves of unencrypted personal data, hackers are motivated to keep finding new ways to get it,” Professor Madnick said in his report.
“This is why it’s imperative that organisations consider limiting the amount of personal data they store in readable format while making a greater effort to protect the sensitive consumer data that they do store. And it’s why the technology industry is increasingly adopting innovative solutions that implement end-to-end encryption such as iCloud’s Advanced Data Protection to reduce the amount of vulnerable data stored by organisations and the risk to individuals.”
Overall, the MIT report found consumer data breaches increased threefold from 2013 to 2022, with 2.6 billion personal records compromised in 2023 alone.
Attacks targeting cloud infrastructure nearly doubled from 2021 to 2022, accounting for more than 80 per cent of breaches.
While Apple’s advanced data encryption has sparked some tension with law enforcement agencies, the company says the tightened security was designed to protect the privacy of its millions of iPhone and MacBook users, shielding them from cyber crime.
The security is so tight that the company can’t access most data stored in iCloud, including photos, notes and messages. This protects data even if there is a breach in iCloud but makes it difficult to comply with law enforcement requests for access.
“Apple has never created a ‘back door’ or master key to any of our products or services. We have also never allowed any government direct access to Apple servers. And we never will,” the company says on its privacy website. “Our legal team reviews requests to ensure that the requests have a valid legal basis. If they do, we comply by providing data responsive to the request. If a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate or overly broad, we challenge or reject the request.”
Mobile phones offer a treasure trove of information, with hackers able to assume a user’s identity and empty bank accounts within minutes once they gain access, prompting the need for robust security.
iCloud protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection for iCloud, the number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos.
Craig Federighi, Apple’s senior vice-president of software engineering, said it was part of the company “finding ways to fight back on behalf of our users” against cyber criminals.
“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” Mr Federighi said.
eSafety Commissioner Julie Inman Grant said last month she did not expect to “break end-to-end encryption” to consults with industry to draft new standards to combat online sexual abuse.
“Nor do we expect companies to design systematic vulnerabilities or weaknesses into any of their end-to-end encrypted services,” Ms Inman Grant said. “But operating an end-to-end encrypted service does not absolve companies of responsibility and cannot serve as a free pass to do nothing about these criminal acts.”
Ms Inman Grant said many in industry, including encrypted services, were proactively working to stamp out online abuse, without breaking encryption.
“Meta’s end-to-end encrypted WhatsApp messaging service already scans the non-encrypted parts of its service including profile and group chat names and pictures that might indicate accounts are providing or sharing child sexual abuse material.
“These and other interventions enable WhatsApp to make 1 million reports of child sexual exploitation and abuse each year. This is one example of measures companies can take.”
More Coverage
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout