Celebrity Photo Data Hack: Lessons for Businesses and Consumers

If you’re a fan of Jennifer Lawrence, Kirsten Dunst, Kate Upton and others, you may be aware that some of their sensitive personal photos were apparently leaked online over the weekend. These photographs were allegedly obtained through a brute force attack on Apple’s cloud storage sites and services to which the photographs had been uploaded. Beyond “change your iCloud settings,” what practical takeaways does this incident provide and how can we safely use convenient cloud and mobile services for work and play?

First, we must acknowledge the risk. The loss of sensitive data though the use of connected devices was highlighted in the Websense Labs 2014 predictions, “Attackers will be more interested in cloud data than your network” and, “Cybercriminals will target the weakest links in the “data-exchange chain.” You can download your own copy of the report here: http://www.websense.com/content/websense-2014-security-predictions-report.aspx.

Realistically, we are going to use the cloud and our mobile devices both for work and personal data as the convenience of availability enables us to be more effective in our jobs and to share with our friends and family. However, with convenience comes responsibility, so with both our business data and our personal data we should all be more mindful and have a standard protocol for safely integrating the use of these technologies.

Remember, the cloud is not a substitute for good data management practices, but by having a data use, creation and collection plan you can minimize the risk of threats to you or your organization.

This plan can be as simple as proactively examining: what data you want to create and share; what you plan to use the data for; and knowing where that data will be collected and stored.

For businesses a data use and classification plan simply gets users on the same page and can help avoid costly data loss issues. For personal use, this doesn’t need to be a big written policy. You simply must make a proactive choice on what you want to share to avoid later surprises.

Here are a couple of steps that I take in both my personal and professional life that may help guide your use of these convenient services:

1. Establish rules for what data can go into the cloud

As an organization the first step toward safe cloud and mobile use is to acknowledge that there is risk in these applications. Some data should never go to the cloud, without stringent protections. So go through the process of defining sensitive or high value data, communicating that definition to employees and executives and then reinforce this learning through repetition, imagery and patterns. For your personal data plan that also means educating family members (especially younger, internet active types). It is also beneficial to know how to remove data that accidentally gets into the cloud.

2. Identify and take steps to shore up the weakest links in your data-exchange chain.

Weak passwords remain a consistent and ongoing problem. Whereever possible use strong 2 factor authentication for highly sensitive data. Challenge questions and images are not recommended as those can be compromised relatively easily. Instead, consider out of band authentication such as mobile device proximity, tokens, call backs to a secondary phone number, biometrics and one time passwords – all of which can reduce the risk of accidental or intentional disclosures.

Other weak links to consider include business cloud apps on mobile devices without appropriate monitoring or limits and improperly secured mobile devices (PIN, automatic recovery or wipe capabilities).

3. Know what to do if there is a breach

As an organization you also must be prepared with a good reporting process for accidental loss. If you are going to take the risk that data may be lost or leaked at some point, you must prepare for that as a possible eventuality. You should be prepared to rapidly identify how important the disclosed data is and any potential ramifications. Be ready with a a plan to identify who you contact and in what order to contact them. This includes law enforcement (usually your first contact), others with whom you share the data and the originators (or owners) of the data that was breached.