It's been another bad week in security.
Not only do we learn that so-called "friendly" governments are quietly requesting surveillance data concerning push notifications, but Apple tells us more than 2.6 billion personal records have already been compromised by data breaches in the past two years.
It’s almost as though the best way to ensure your online data is safe is to make sure no one stores any of it. It feels likely that the Apple-commissioned study (“The Continued Threat to Personal Data”) is designed to reinforce the company’s arguments around the need for strong end-to-end data encryption and security.
To me it's tragic was even necessary to commission the report, given how obvious it is to anyone outside of some governments that the best way to secure data is to keep data secured, rather than introducing designer vulnerability. But this appears to be where we are.
What Apple said
In a statement, Craig Federighi, Apple’s senior vice president of software engineering, warned:
“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them. As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections.”
Attack velocity is increasing incredibly fast
The study, conducted by Massachusetts Institute of Technology professor Stuart Madnick, found clear proof that data breaches have become a global epidemic. The number of data breaches more than tripled between 2013 and 2022 and has continued to worsen in 2023.
The big message is that robust protection against breaches needs to be mandatory. End-to-end encryption, for example, is all the more important when criminals and dodgy government-backed spies are attempting to break into the servers your data sits on.
That’s less of a problem when even the server doesn’t understand and can’t read that information. If the server can’t read it, chances are neither can the perpetrators.
We should use Advanced Data Protection
The report also delivers a pretty powerful message of recommendation of the need to enable Apple’s recently-introduced Advanced Data Protection for iCloud.
Apple’s data protection already extends to encryption of critical information such as passwords and other sensitive information. Advanced Data Protection adds protection for Notes, iCloud Backup, and Photos to the list, though there are some limitations.
It really should concern anyone online that the momentum of these attacks is increasing so dramatically. In the US alone, there were nearly 20% more breaches in just the first nine months of 2023 than in any prior year, Apple said.
The report also warns that more than 80% of breaches involved data stored in the cloud, even as attacks against cloud infrastructure nearly doubled between 2021 to 2022.
Attackers are sophisticated and well-resourced
Hackers are becoming more professionalized and better resourced, most security experts agree. Some even run help desks to assist impacted customers!
The deal is that ransomware is a huge business, one that benefits from more sophisticated attackers who have always known how to gather and combine small pieces of data from individuals lower down the enterprise security chain to violate security elsewhere.
Simen Van der Perre, strategic advisor at Orange Cyberdefense, recently warned that many of the most sophisticated ransomware attacks take place over time in different stages.
In this environment, you must expect every small vulnerability to be prodded and explored.
“Hackers are evolving their methods and finding more ways to defeat security practices that once held them back. Consequently, even organizations with the strongest possible security practices are vulnerable to threats in a way that wasn’t true just a few years ago,” Apple said.
Encrypt all the things
“In recent years, we have seen an unprecedented increase in both the number of cyber threats and their sophistication, with attacks becoming more tailored as criminals aim for maximum impact, and maximum profit,” according to Bernardo Pillot (INTERPOL’s Assistant Director of Cybercrime Operations) who's quoted in the report.
But making sure data is incomprehensible even if it is accessed is the company’s approach to personal and enterprise security. After all, if someone breaks into your online data but can’t make any sense of it, your data remains effectively safe.
Of course, data isn’t solely a problem for employees and users. All those data lakes held by a myriad of different firms are potential targets, and we’ve seen data brokers and government-related systems broken into enough times to understand that the information those systems hold about people should also be more effectively protected.
We need bigger walls, not larger gates
Apple warns that because people now live more of their lives online, corporations, governments, and other types of organizations collect more and more personal data — sometimes with little choice from individuals.
At the same time, the interconnected nature of global business means a successful hack against one small supplier making use of data about people at the company stolen elsewhere can give attackers access to information stored on servers belonging to a much larger company, putting everyone at risk.
Attacks of this kind can ruin customer relationships and bankrupt companies — and those nations that remove the protection of end-to-end encryption from consumer and business users alike had better recognize the risk they are taking with their population’s digital security and enterprise success.
Strong and robust digital protection is essential on a connected world, weakening that is a luxury no one can afford.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.