The FBI may be due for a reprieve after claims that hacktivist group AntiSec hacked an agent's computer and compromised 12 million Apple unique device identifiers (UDIDs) recently made headlines. Although the hackers claimed to have breached a laptop belonging to cybersecurity expert Christopher Stangl, the FBI issued a statement countering these accusations shortly after news broke of the incident. Now, a third party has emerged to lend credence to the FBI's claims.
Paul DeHart, CEO of software company BlueToad, told Reuters that the data security breach actually happened within his company, which hosts 5,000 digital publications and offers applications to help publishers better monetize their content. Perhaps due to the potentially lucrative payload, the company deflects an average of 1,000 cyberattacks each day.
In addition to taking some liberty regarding where the UDIDs came from, AntiSec may have also exaggerated how much data the group retrieved. According to DeHart, only two million IDs were compromised in the incident.
Lack of data protection
Although the actual scope of the incident is smaller in scale than the original headline-making claims, Wall Street Journal columnists Jennifer Valentino-Devries, Jeremy Singer-Vine and Ashkan Soltani highlighted another legitimate risk. WSJ conducted an investigation in which it tested a sample of the one million released UDIDs and found that BlueToad apps sent device and user information back to the company in plain text.
As the WSJ writers pointed out, BlueToad's CEO said device information was not automatically connected with personal data, but more than 400 users included addresses or full names with the name of their device. The incident may be part of a larger trend of lax practices regarding the protection of user data.
"The BlueToad breach is the latest in a series of events that have raised questions about the security and privacy of the fast-growing app economy," WSJ stated. "Many apps have been found taking data that users didn't know about. In 2010, the Journal tested 100 iPhone and Android apps and found that more than half were transmitting identifying details without the user's knowledge, and some were sending more personal information such as contact lists and location information. Since then, several other apps have been caught transmitting details about users without their knowledge."
Due to the user privacy risks, Apple has instructed application developers to stop using UDIDs and plans to progressively reduce developer access to the ID system. While this move is good news for privacy, it has caused concern for mobile ad networks and app developers that leverage the identifier to track user behavior.
Data Security News from SimplySecurity.com by Trend Micro