Over the weekend, we learned that Apple’s Developer Center was taken down due to a security vulnerability or breach on the site last Thursday July 18.
In their notice, Apple indicated that the security breach could have led to developer’s names, mailing addresses and e-mail addresses being accessed, although the company states clearly that sensitive personal information was encrypted and not accessed.
Apple is notorious for not talking about its security issues, and followed that example for the first three days of this issue by talking about the site outage as “a maintenance issue.”
But by Sunday, Apple posted an explanation of the outage and the scope of the data breach. Another thing the posting stated, which isn’t getting a lot of focus right now, is what they’re doing about it:
"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database."
In other words, Apple has decided to accept the risks of a prolonged outage so it can mitigate the security risks, threats and breaches through a complete rebuild. In the immortal words of Ripley from Aliens, Apple decided to nuke the site from orbit because “it’s the only way to be sure.”
This is a nearly unprecedented, comprehensive response, especially since it’s not clear that there was an actual breach.
A security researcher in the United Kingdom, Ibrahim BaIiç, has come forward claiming that he found the vulnerability on the site, notified Apple and they took the site down. He further claims that he didn’t breach the systems or access data.
Regardless of whether a breach occurred, the scope of the data lost (or potentially lost) here is circumscribed. And that’s what makes Apple’s response remarkable.
The only other example we have of a company accepting an extended outage to do the right thing and rebuild is Sony’s response to the PlayStation Network hack in 2011. Sony accepted twenty-five days of downtime in that event.
But in that case, there was a demonstrated breach and a loss of 12,000 credit cards.
Sony said that their breach cost them at least $171 million (USD). A large part of that loss was due to the downtime it took for the company to rebuild its system.
Nonetheless, Sony did the right thing by accepting that downtime and there has not been a security breach since then. Sadly, Sony doesn’t get credit for that, though they should.
And so Apple security team should get credit for doing like Sony did and committing not just to patching a hole in a troubled architecture but taking the time to rebuild from the ground up to make the system more secure.
If we had more companies respond to breaches in this way, we (technology, privacy, security and cyber threats) would be much better off as an industry.
Christopher Budd - Threat Communications Manager, Trend Micro