Site icon Sophos News

Distributor caught selling Apple customers’ data

Apple’s been hit by a weak link in its own supply chain: employees of a distributor have been detained under suspicion of selling iPhone users’ personal data on underground forums.

According to the Hong Kong Free Press, Chinese police have detained 22 people, 20 of whom were employees of a company described in a police statement as a “domestic direct sales company and outsourcing company”.

The detentions come after a months-long investigation across four Chinese provinces: Guangdong, Jiangsu, Zhejiang, and Fujian. The police statement said that the suspects were taken into custody and police seized what they called the gang’s “criminal tools” and dismantled their online network.

The alleged scam involved draining users’ names, phone numbers, Apple IDs and other data from an internal company system, then selling the personal data for what amounted to more than 50 million yuan (USD $7.35 million, £5.7 million).

The cost allegedly charged for the stolen data, sold piecemeal, was between 10 yuan (USD $1.47, £1.15) and 180 yuan (USD $26.48, £20.77).

The Hong Kong Free Press noted that the sale of personal information is “common” in China. Common, but increasingly dangerous: earlier in the month, the country enacted a new law that mandates strict data surveillance and storage for firms working in the country. According to Reuters, the official Xinhua news agency warned that “Those who violate the provisions and infringe on personal information will face hefty fines.”

Engadget reached out to Apple for more information, including how many customers were affected; whether they were just in China or also hailed from other countries; and what the fate of the internal, breached database might be. The publication hadn’t yet heard back as of Saturday.

Of course, like plenty of tech companies, Apple has belched up its share of embarrassment: nothing like Apple Geniuses pouring whiskey into hard drives or using laptops as skateboards if they don’t take a shine to a particular customer, as Gizmodo’s Sam Biddle recounted in his story “Confessions from the Most Corrupt Apple Store in America.”

But Apple sure hasn’t cornered the market on feisty employees, nor on insider threats like this recent crop of distributor employee arrests.

Pity healthcare companies, for example. According to a report from Protenus, a Big Data analytics firm, insiders committed 59.2% of patient health record privacy violations in January 2017, with much of the culpability falling on insiders who were either crooks or plain old clueless.

The “clueless” piece of the puzzle was underscored by another report, from IBM Managed Security Services (MSS), that found insiders to be responsible for 68% of all network attacks targeting healthcare data in 2016. Almost two-thirds of those attacks were the result of people using misconfigured servers and falling victim to phishing scams.

Vengeful employees are a thing unto themselves. The FBI has said that disgruntled employees are increasingly e-sabotaging businesses.

Take the ex-IT director at Columbia Sportswear, for one: the company recently sued him for allegedly setting himself up with a fake email account the day before he left and then using it to hack the company for more than two years.

Then too, there was Yovan Garcia, who was fined $318,661.70 after a California court found him guilty of padding his work hours, hacking the company’s servers to steal data on customers, demolishing the servers in the process, defacing the website, ripping off the proprietary software, and setting up a rival business running on that ripped-off program.

OUCH.

Employees on a rampage are one thing. But what’s a company supposed to do about a link in the supply chain that starts spurting data like a punctured artery? You can have the strictest security in the world, but it will all melt away if you have a weak link in the chain. As we’ve noted in the past, every company we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of data.

One would hope that Apple, or any company, that handles our personal data is vetting vendors who process or store it, asking tough questions regarding their controls and how they’re implemented.

An averted gaze or foot-shuffling can often tell you what you want to know. Hopefully, a few minutes of vetting can also keep your company name from popping up in headlines like the ones that Apple’s picking up from this incident, stuck like burrs to its hide, regardless of the fact that the culprits weren’t actually Apple employees.

They were just a weak link in the chain.

Exit mobile version