Big tech is known for setting trends across the industry, but there is one trend that is a problem. Notifying users of a potential breach is imperative and should not be skipped.
Throughout the rise in cyberattacks over the last year, we have discussed best practices around preventing those breaches. We have also discussed having an appropriate incident response plan in place. One thing we haven’t discussed much, though, is the effects of your decisions on your customers. Anytime malicious code is found or you learn that your systems may have been compromised, you have an obligation to notify anyone who is potentially impacted. Big tech companies like to tout their security practices, but they often shirk the responsibility of notification, as evidenced in the courtroom battle between Epic and Apple.
Back in 2015, researchers discovered malicious code in thousands of apps in the Apple App Store. The apps, while legitimate, were built using a counterfeit version of Xcode, which is Apple’s app development tool. XcodeGhost was a repackaged tool that inserted malicious code along with normal app functions. Once the app is downloaded, affected iPhones would report to a command-and-control server and share sensitive device information. In order to use this tool, developers had to click through a warning from Gatekeeper, which requires all apps to be digitally signed by a known developer.
As reported by Wired magazine, an email surfaced amid Apple’s legal battle with Epic. The email is from September 21, 2015, when Apple managers discovered 2,500 malicious apps. They combined for over 200 million downloads by 128 million users.
““Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple senior vice president of worldwide marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:
If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).
About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.””
The problem is, Apple never followed through on notifying users about this breach. So now there are 128 million users out there, 18 million of which are in the US, who have had their information compromised and they don’t even know it. Users who are unaware their device is compromised may log on to another network and therefore expose anyone else connected to it, including a business.
And if your business used XcodeGhost for its iOS apps, you must ensure that you are no longer using it. A full review of all code related to apps should be conducted to verify that nothing malicious is embedded without your knowledge. And if you find any malicious code, it must be treated as an incident and responded to appropriately. Notification to anyone whose information may have been impacted is imperative.
Small and medium-sized businesses should NOT take note from big tech in this instance. Bring in an expert to review your security and your code, make sure you’re covering your bases and doing it right. Proper notification is important for so many reasons, not least of which is how much your business is on the hook for when an incident occurs.