IT Compliance Advisor

Sep 4 2014   8:11PM GMT

Post-hack focus on Apple iCloud security; Microsoft defies warrant

Fran Sales Fran Sales Profile: Fran Sales

Cloud Security
Data breach
Data Leakage
Data privacy
Data protection

Data privacy riddled tech headlines this week as Apple was forced to defend iCloud’s security when hackers leaked celebrities’ intimate photos. The tech giant also announced changes to its privacy policy, making it more difficult for developers to share data collected from its HealthKit app with third parties. Also in data privacy news, Microsoft is holding its ground against the U.S. government regarding user data held overseas, and the E.U. is discussing reforms to its 1995 data protection law.

Apple security under fire in iCloud celebrity hack

Apple announced Tuesday that it would probe media reports suggesting that vulnerabilities in iCloud, its online storage service, led to the hacks of celebrities’ accounts last weekend. In one scenario, a GitHub user found a weakness in Apple’s Find My iPhone app, an iCloud service that tracks an iPhone’s location and allows its user to remotely disable it, according to a post on the online code-sharing site. The vulnerability could have allowed the hacker to perform “brute force” attacks until the correct passwords were identified.

Rich Mogull, chief executive of security research and advisory firm Securosis, told the Wall Street Journal it’s possible that hackers exploited the Find My iPhone bug, but added it’s more likely that they hacked the celebrities’ individual accounts.

Apple said in a statement that the hacks were a result of hackers deducing the victims’ login credentials by targeting user names, passwords and security questions, and not by breaching Apple’s security systems. The company did, however, patch a flaw in its Find My iPhone app that security experts said could be partially responsible for the leak.

Apple updates health app’s data privacy policy

Apple also updated its privacy policy to prevent developers from selling users’ health information gathered through its HealthKit platform to advertisers, data brokers or resellers. HealthKit, part of iOS 8, provides developers with APIs to share their applications’ data with Apple’s Health app, which offers a dashboard of users’ health and fitness data. Additionally, the updates bar developers from using the data for purposes other than “providing health and/or fitness services.”

Apple’s efforts to ensure that HealthKit is compliant with U.S. regulatory requirements is noteworthy as health data has gained value with advertisers, according to Forbes, which cited a Senate Commerce Committee report that said companies are developing databases consisting solely of people’s health-related information. Apple’s new privacy rules allow developers to share users’ health data with third parties “for medical purposes,” which could potentially be a loophole in the policy. Developers will, however, need users’ permission to do so.

Microsoft defies U.S. data search ruling

Microsoft is still standing its ground against Judge Loretta Preska’s ruling to turn over customer emails and records stored at its Ireland data center. In July, Judge Preska upheld a U.S. magistrate judge’s ruling that because Microsoft can control data stored physically in Ireland without actually entering the country’s domain, the data’s location isn’t relevant and Microsoft must comply with a government search warrant for that data. Microsoft argued that user emails should be afforded the same legal protections as U.S. mail and phone conversations.

Microsoft said that it will not be turning over the customer records and will bring the case to the appeals court. AT&T, Apple and other tech heavyweights are submitting briefs to support Microsoft’s defiance of the search warrant.

E.U. reforms data protection law to include steeper penalties

The E.U. will soon reform its 1995 data protection rules in an effort to unify legislation across Europe and strengthen privacy guarantees, as well as enforce steep penalties should the new rules be violated. Under the reforms, the responsibility for violations would be shared between the organizations that own the data, or data controllers, and data processors, such as cloud providers that store the data.

Peter Groucutt, managing director at cloud backup provider Databarracks, told Business Cloud News that the proposed reforms could spur organizations to toughen their IT security policies. Additionally, the upcoming changes could help chief security officers acquire greater security funding due to the number of potential fines, which make it a priority for boards of directors, he added.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: