Apple study: 2.6 billion user records exposed, end‑to‑end encryption wins
A new Apple study shows 2.6 billion personal records were exposed in past two years, bolstering the case for end‑to‑end encryption.
The report, designed to examine the continued threats to personal data, seems to have only boosted the argument in favor of end‑to‑end encryption in personal devices, such as the iPhone.
The Apple-commissioned study shows that threats to consumer data stored in the cloud have grown dramatically since the last report was published in December 2022.
The study, conducted by Massachusetts Institute of Technology professor Dr. Stuart Madnick, “found clear and compelling proof that data breaches have become an epidemic, threatening sensitive and personal consumer data the world over,” Apple said Wednesday, December 10th, in a blog post.
According to Apple, since 2013, the number of data breaches has tripled. What’s more, the study titled, The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, found that between 2022 and 2023, a whopping 2.6 billion personal records have been compromised.
Apple says the finding only underscores the need for end-to-end encryption to protect individuals’ data, which is more often than not stored in the cloud.
Data breaches up 20% in 2023
Data breaches more than tripled between 2013 and 2022 — exposing 2.6 billion personal records in the past two years alone — and have continued to get worse in 2023, the report shows.
This year’s study, a follow-up to last year’s Rising Threat to Consumer Data in the Cloud report, coincided with Apple’s introduction of its Advanced Data Protection for iCloud.
By default, iCloud’s end-to-end encryption (E2EE) protects 14 sensitive data categories, enabling the Advanced version to increase that number to 23 categories, including iCloud Backup, Notes, and Photos, the tech company said.
“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” said Craig Federighi, Apple’s senior vice president of Software Engineering.
“As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections.”
With Advanced Data Protection for iCloud, users have the choice to further protect important iCloud data even in the case of a data breach.
The report shows that attacks targeting cloud infrastructure nearly doubled from 2021 to 2022, and a recent 2023 survey found that over 80 percent of breaches involved data stored in the cloud.
Sourya Biswas, technical director of Risk Management and Governance at NCC Group, is not surprised the number of cloud attacks has increased in past years, citing two main reasons.
The first has to do with the large number of organizations moving to the cloud, Biswas said.
“This includes many smaller organizations who want to take advantage of the ‘pay-as-you-use’ model, but lack the budget for security teams," he said.
The second reason, Biswas explained, is the misunderstanding by organizations that once data is in the cloud, the third party cloud service provider is responsible for protecting that data.
“While the CSP is responsible for the security ‘of the cloud,’ individual users are responsible for security 'in the cloud.' That’s why a lot of the issues can be traced to cloud misconfigurations,” Biswas said.
Apple says even if users do everything to protect their data, hackers will find ways to get access, most often going after weaker third-party vendors, who may still be storing users' data in readable form.
“Hackers are evolving their methods and finding more ways to defeat security practices that once held them back,” Apple said.
The study said that 98% of organizations have a relationship with at least one technology vendor that experienced a data breach in the previous two years.
Biswas agrees that more than ever, the average organization is outsourcing its support functions to external third-party providers so it can turn its focus back on core functions.
"In today’s interconnected world, virtually every organization relies on a wide range of vendors and software. As a result, hackers only need to exploit vulnerabilities in third-party software or a vendor’s system to gain access to the data stored by every organization that relies on that vendor," the study said.
Implementing strict vendor risk management practices has become necessary to help counter the increased attack surface that results from doing business with insecure third parties, Biswas said.
Ransomware attacks top threat to personal data
Ransomware was not far behind with a 70% increase in attacks from the beginning of January through September 2023.
“In fact, experts found that there were more ransomware attacks through September 2023 than in all of 2022 combined,” the statistics showed.
The study singled out major data breaches involving personal data such as 23andMe, which is thought to have exposed 300TB of user data.
The MoveIt hacks alone have reportedly compromised the data of more than 65 million individuals.
E2EE makes it impossible for hackers to unscramble a user's data on the device or in the cloud without additional user authentication.
Law enforcement officials have argued against the feature over claims it hinders investigations by making it nearly impossible to access data from personal devices without the user's knowledge.
This week, after much anticipation, Meta rolled out its default end-to-end encryption for Facebook Messenger.
The technology had already been implemented this past August for Meta’s WhatsApp, at behest to the British government.
UK officials had urged Zuckerberg to hold off on installing the default E2EE for Instagram and Messenger back in September until safety measures to protect children from sexual abuse were integrated with the feature.
More from Cybernews:
Subscribe to our newsletter