Apple releases report revealing 2.6 billion records compromised by data breaches and says the answer is encryption

December 8, 2023 |

It never ceases to amaze me how few businesses, and government agencies, encrypt their data. Given it is feasible the refusal to do so, particularly by organisations that collect and store masses of data is a major failure of cyber security. Apple released a report, titled The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, in support of its push for end to end encryption.  The release provides:

Today Apple published an independent study conducted by Massachusetts Institute of Technology professor Dr Stuart Madnick that found clear and compelling proof that data breaches have become an epidemic, threatening sensitive and personal consumer data the world over. The total number of data breaches more than tripled between 2013 and 2022 — exposing 2.6 billion personal records in the past two years alone — and has continued to get worse in 2023. The findings underscore that strong protections against data breaches in the cloud, like end-to-end encryption, have only grown more essential since last year’s report and the launch of Advanced Data Protection for iCloud.
This year’s study, “The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase”, demonstrates threats that had already reached historic levels — as shown in last year’s report, “The Rising Threat to Consumer Data in the Cloud” — continue to rise. Increasingly, companies across the technology industry are addressing these threats by implementing end-to-end encryption, as Apple did with last year’s launch of Advanced Data Protection for iCloud.
With Advanced Data Protection for iCloud, which uses end-to-end encryption to provides Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data even in the case of a data breach. iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection for iCloud, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes and Photos.
“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections.”As shown in this year’s report, the increasing digitalisation of users’ personal and professional lives has fuelled a dramatic rise in data breaches. Each year, thousands of data breaches expose the personal information of hundreds of millions of consumers. Hackers are evolving their methods and finding more ways to defeat security practices that once held them back. Consequently, even organisations with the strongest possible security practices are vulnerable to threats in a way that wasn’t true just a few years ago.The report also shows that even when consumers take all the right steps to secure their sensitive data, it’s still at risk of being compromised by hackers if it’s stored in a readable form by organisations they entrust it with. For instance, when attempting to infiltrate companies with robust security practices, hackers often start by targeting a different organisation with relatively weak security that has a technical business relationship with the ultimate target. They then steal credentials or information that helps them target employees or systems at the organisation that is their primary objective.As threats to user data continue to grow more frequent and sophisticated, Apple’s long track record of engineering powerful and innovative features make its products the most secure on the market. With Lockdown Mode, Apple developed a protection for those who may be targeted by extreme threats like mercenary spyware because of who they are or what they do. Apple’s Advanced Data Protection for iCloud is another feature the company has developed to protect users against growing threats to their data, keeping most user data in iCloud protected even in the case of a data breach in the cloud.The report illustrates that the historic threats to user data that saw the number of data breaches nearly triple between 2013 and 2022, compromising 2.6 billion records over the course of two years, are only getting worse in 2023. In the US alone, there were nearly 20 per cent more breaches in just the first nine months of 2023 than in any prior year. The target for cybercriminals was very clear, with a 2023 survey finding that over 80 per cent of breaches involved data stored in the cloud. This is after attacks targeting cloud infrastructure nearly doubled from 2021 to 2022.This is due in part to the increased targeting of consumer data by ransomware gangs and coordinated campaigns that compromised vendors or their products to target customers. The threat of ransomware has only grown in 2023, as shown by the fact that there were nearly 70 per cent more attacks reported through to September 2023 than in the first three quarters of 2022. In fact, experts found that there were more ransomware attacks through to September 2023 than in all of 2022 combined. This has led to alarming trends in the US and abroad, with more than double the accounts getting breached in the first half of 2023 compared to the first half of 2022 in the UK, Australia and Canada combined.

The report itself makes for sobering reading.  Some of the insights include:

  • In 2023, ransomware attacks increased to levels never seen before, while also becoming more sophisticated and aggressive. Hackers arebecoming more organized, often through ransomware gangs. Their attacks are also more threatening and more likely to target organizations with sensitive data, like governments, mass-market genetic testing companies, or healthcare facilities
  • attacks that exploit vendors are increasing, and they frequently spread  to many other organizations that depend on those vendors
  • In the UK, Australia, and Canada combined, more than double the number of accounts were breached in the first half of 2023 compared to the first half of 2022
  • as of early 2023, more than 80% of data breaches involved data stored in the cloud, following a near doubling of attacks targeting cloud infrastructure between 2021 and 2022
  • Cybercriminals have also increasingly targeted organizations, including private companies and government entities, that collect particularly sensitive personal information, such as schools, mass market genetic testing companies, healthcare institutions, and military and police institutions
  • More ransomware attacks were reported through September 2023 than in all of 2022. In the first three quarters of 2023, the number of ransomware attacks increased by nearly 70% compared to the first three quarters of 2022
  • The number of ransomware attacks was two and a half times higher in September 2023 compared to September 2022
  • The US and UK were the countries most frequently targeted by ransomware attacks in 2023, followed by Canada and Australia. Nearly 70% of ransomware attacks occurred in these four countries
  • bad actors have increasingly focused on taking control of personal data collected and stored by the corporations and institutions
  • hackers have also become more organized, relying on more efficient organizational structures, higher budgets, and more sophisticated tools, including generative AI
  • Ransomware gangs also frequently target the same victim multiple times in a short period with different ransomware variants to further exploit their weakened defenses, a type of attack known as “dual ransomware attacks
  • Corporations and institutions increasingly rely on third-party software and vendors for their daily operations, including accounting software, technical software, and file transfer or security services. Once these software packages are installed in an organization’s systems, they often provide vendors with unfettered access (through a “side door”) to the organization’s network so that they can provide services such as software updates

The release of this report has been covered by the Australian in ‘Fight back’: inside Apple’s plan to stop hackers and shield customers from cyber crime which provides:

Australia is one of the top four countries for cyber attacks, with most businesses creating a honey pot for hackers by failing to encrypt sensitive customer data, according to Apple.

The tech behemoth commissioned a study from the Massachusetts Institute of Technology after it expanded its data-encryption practices significantly 12 months ago to “fight back” against hackers.

Despite the launch of Apple’s Advanced Data Protection for iCloud, the MIT study found cyber attacks have continued to soar. There were more data breaches in September this year than throughout 2022, according to the research.

In Australia, hackers have targeted Medibank, Optus, Latitude Financial and Australian Clinical Labs, exposing customers to identity theft and other financial crime after personal details – including health records, names and addresses – were published on the dark web.

This has ranked Australia among the top global destinations for hackers, behind the US, the UK and Canada.

MIT professor of information technology Stuart Madnick said companies storing sensitive data in a readable, non-encrypted form fuelled the ongoing risk of cyber attacks despite the best efforts of consumers to protect their own information.

“And as long as organisations keep collecting troves of unencrypted personal data, hackers are motivated to keep finding new ways to get it,” Professor Madnick said in his report.

“This is why it’s imperative that organisations consider limiting the amount of personal data they store in readable format while making a greater effort to protect the sensitive consumer data that they do store. And it’s why the technology industry is increasingly adopting innovative solutions that implement end-to-end encryption such as iCloud’s Advanced Data Protection to reduce the amount of vulnerable data stored by organisations and the risk to individuals.”

Overall, the MIT report found consumer data breaches increased threefold from 2013 to 2022, with 2.6 billion personal records compromised in 2023 alone.

Attacks targeting cloud infrastructure nearly doubled from 2021 to 2022, accounting for more than 80 per cent of breaches.

While Apple’s advanced data encryption has sparked some tension with law enforcement agencies, the company says the tightened security was designed to protect the privacy of its millions of iPhone and MacBook users, shielding them from cyber crime.

The security is so tight that the company can’t access most data stored in iCloud, including photos, notes and messages. This protects data even if there is a breach in iCloud but makes it difficult to comply with law enforcement requests for access.

“Apple has never created a ‘back door’ or master key to any of our products or services. We have also never allowed any government direct access to Apple servers. And we never will,” the company says on its privacy website. “Our legal team reviews requests to ensure that the requests have a valid legal basis. If they do, we comply by providing data responsive to the request. If a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate or overly broad, we challenge or reject the request.”

Mobile phones offer a treasure trove of information, with hackers able to assume a user’s identity and empty bank accounts within minutes once they gain access, prompting the need for robust security.

iCloud protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection for iCloud, the number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos.

Craig Federighi, Apple’s senior vice-president of software engineering, said it was part of the company “finding ways to fight back on behalf of our users” against cyber criminals.

“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” Mr Federighi said.

eSafety Commissioner Julie Inman Grant said last month she did not expect to “break end-to-end encryption” to consults with industry to draft new standards to combat online sexual abuse.

“Nor do we expect companies to design systematic vulnerabilities or weaknesses into any of their end-to-end encrypted services,” Ms Inman Grant said. “But operating an end-to-end encrypted service does not absolve companies of responsibility and cannot serve as a free pass to do nothing about these criminal acts.”

Ms Inman Grant said many in industry, including encrypted services, were proactively working to stamp out online abuse, without breaking encryption.

“Meta’s end-to-end encrypted WhatsApp messaging service already scans the non-encrypted parts of its service including profile and group chat names and pictures that might indicate accounts are providing or sharing child sexual abuse material.

“These and other interventions enable WhatsApp to make 1 million reports of child sexual exploitation and abuse each year. This is one example of measures companies can take.”

 

Leave a Reply