Celebrity photos rain from iCloud … is your data secure in the stratosphere?

It was that rare kind of story — one that inspired handwringing headlines across the vast media spectrum, from The New York Times to The Wall Street Journal to Us magazine.

Over the Labor Day weekend, an anonymous hacker leaked nude photos of several A-list celebrities, including Jennifer Lawrence and Kate Upton, to the Internet. The hacker had reportedly obtained the photos from Apple’s iCloud, sending Apple into frantic damage-control mode.

Apple later released a statement noting that its systems were not, in fact, breached but were accessed through stolen passwords:

[W]e have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. … To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.

To some, however, the question of whether iCloud was actually breached might seem like hair-splitting. The discomfiting reality is that information that was thought to be private and secure was obtained illegally from Apple’s cloud server, and the public was forced to endure yet another in a very long series of high-profile data-breach scares.

For the general public, such stories are becoming more and more concerning, but for business owners, who are taking advantage of the convenience of cloud storage in greater and greater numbers, they’re particularly vexing.

To clear away some of the fog surrounding cloud security, we caught up with Kate Bechen, an attorney with Whyte Hirschboeck Dudek who practices in the areas of privacy law and technology law.

The following is an abridged version of that interview:

What exactly happened with Apple iCloud?

My understanding is that … the individuals that had their photos exposed, their passwords and usernames were basically obtained without their consent. And from a technology perspective, it was a fairly simple type of technology, which is just randomly running passwords through a system that eventually gets a hit as a match between a username and a password.

Apple is maintaining that their security measures weren’t exactly breached, it’s that the passwords themselves were compromised.

So do you chalk that up to user error, or is it something that people need to be concerned about on a deeper level?

I think a couple things come into play. First of all, it’s really important to pick a good password — something that doesn’t involve really common words or certainly dates of birth or other things that are public record and can be fairly easily obtained or used in the process of trying to hack into someone’s password.

Secondly, we all should really be thoughtful with regard to the types of information we store in the cloud. It’s not as secure as people just assume it is. I think there’s a general assumption that if it’s my personal picture or my personal communications or my personal document, it’s mine, and that if I store it in my iCloud or any other type of cloud server, it will be private and secure. It is to a large extent, but it’s not 100%. And I think that the best defense is just not putting those personal documents or records into the cloud — either not creating them to start with or keeping them on your computer or on your handheld device, which is not as accessible.

While it was personal information that was leaked in the iCloud case, business owners are obviously concerned about their company secrets and sensitive information. It sounds like you’re saying they need to be a little more careful about what they’re willing to store in the cloud so they don’t suffer the same fate as Jennifer Lawrence and Kate Upton.

I’m not anti-cloud. I think it makes things simpler, it has a lot of ease of use, and quite frankly, it’s inexpensive, because you’re pooling your data with lots of other people and there isn’t the hardware or infrastructure that needs to be in place for a particular company. So for companies that are looking at moving some data to the cloud, I think you really want to look at what your data universe is.

If it’s not really the trade secrets, confidential business records, or customer information that you want to make sure is private, then using the cloud is a really great resource and can be a very smart business decision.

When you get into more sensitive types of data, having local control or at least having a physical data center is specifically where I see those types of companies going.

Some business owners might think, ‘Well, I don’t really have anything of interest to hackers, and my data is pretty small potatoes.’ Is it a mistake to assume that?

If the business is not subject to any regulations that require a heightened level of data privacy and security — for example in the health care or the financial services industry — then it might be a situation where exclusively using the cloud makes sense. It’s a decision that a business wants to make sure they do with full understanding of what their data looks like and what kinds of laws their data is subject to. And also you need to accept that if you’re putting your data on the cloud, you are relying on multiple third parties that are involved in that process, and you have a little bit less security and a little bit less control. But certainly, in many situations, it can be a really good option.

What about choosing a vendor? People might have seen this story and thought, ‘Well, if I can’t trust my data with Apple, how is a smaller vendor going to be able to keep up with all these potential security problems?’ What questions do people need to ask of vendors before they trust them with their data?

Going back to looking at what data you are looking to store, if it is highly sensitive data, then your questions need to be more rigorous and your review of that vendor needs to be more in depth. And there are some vendors that offer encrypted cloud, and that’s one way of certainly enhancing security. The problem with encryption is that the underlying software that enables encryption, unless that’s open source, it really can’t be verified how secure and how private that cloud might be.

Also, there is ultimately a physical location that has servers and other equipment that is making that cloud possible, and knowing where that’s located is good. I work with a number of smaller technology companies, and oftentimes we’re surprised as we start talking to vendors and we realize that some of their servers are not located in the U.S. And that can create a lot of potential issues with respect to making sure you’re maintaining enough control and access of your data.



And then just looking at companies that are customers of that vendor, asking for some references. From more of a data center side, if you’re looking at outsourcing to a physical data center, go tour the facility and physically see what kind of security measures they have, and learn what kind of equipment they use and how state of the art their technology is.

On a lot of these issues, people may be concerned that the hackers are always one step ahead of the security people. Is that too paranoid?

It’s an interesting question. I think with regard to a lot of the large-scale or public types of incidents that have happened, like the Target breach and the leak of the celebrity photos, the methods, at least to my understanding … have been fairly simple in technology terms, so I don’t know at this point if extremely elaborate steps are being taken, because this more simple method of just having a computer program set up that guesses passwords — if those passwords aren’t that strong to begin with — are often going to be more successful from a hacker’s perspective. But there certainly are some amazing things that hackers are developing and that people are developing on the security side as well, and I think there’s probably more innovation and drive on the hackers’ side because that’s what many of them are fueled by, is being able to get across certain security measures that various institutions have put in place.

Anything else you’d like to add?

I know we talked about hackers and security breaches resulting from poor or substandard security measures, but government requests for data and information is another real active area where third parties are getting access to private information. I don’t have the numbers, but in 2013, Google … received a large number of government requests for information, and in a good majority of the cases they did disclose information, because they can’t fight all of it. So that’s just another avenue of access. [Note: Google posts information on government requests for user data and the percentage of requests that are honored. It can be found here.]

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.