Dev Site Security Hack: Apple's Disclosure Headache

Apple shut down its Mac, iPhone, and iPad developer website last Thursday saying it was performing unscheduled maintenance. Emails saying the maintenance was the result of a security breach were sent to developers over the weekend, and as of Monday morning the site was still down. Good on Apple for keeping developers in the loop, but should they have been given the whole story earlier?

Apple waited three days before warning developers of data breachApple waited three days before warning developers of data breach

Developers were greeted with a "We'll be back soon" message Thursday afternoon without any hint about the security breach. That breach, it turns out, involved someone attempting to hack into the developer account database -- news that didn't make its way to developers until Sunday evening.

That email stated in part,

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Apple said it has been in the process of "completely overhauling our developer systems, updating our server software, and rebuilding our entire database."

The company's carefully selected words in its message to developers also included "cannot" when referring to the ability to hack into personal information. That's a big thing because what Apple is saying is that even if someone does obtain personal information from the database, there simply isn't any way for it to be decrypted. In other words, sensitive developer account information is safe even if it falls into the wrong hands.

Even though it did take a few days for Apple to get the whole story to developers, at least they finally did. That doesn't mean, however, that developers weren't left wondering exactly what was happening. In fact, they were left in the dark for about three days.

While Apple is saying that it hasn't ruled out the possibility that some information was taken, one man who claims to be a security researcher said he actually has developer account data. Ibrahim Balic shared a video link on Twitter with proof he has user account information. While he does show user names in his video, there isn't any indication that he also gained access to account passwords or other sensitive information.



Apple spokesperson Tom Neumayr also told AllThingsD, "The website that was breached is not associated with any customer information," and that, "customer information is securely encrypted."

Apple was left in a position where executives had to choose between the lesser of two evils: Disclose the attack to developers immediately and face questions about why there wasn't any more information available, or wait a few days until they could provide some real answers. Had Apple revealed what it initially knew, which was likely "there's been an attempted hack, but we don't know if anything has been taken," the company would've been faced with a accusations of incompetence since the answers to many questions would've been "I don't know." By waiting a few days, Apple was able to learn more about exactly what happened and offer developers a more complete answer.

Apple's email warning developers about the security breachApple's email warning developers about the security breach

Withholding information about security breaches leads to distrust and a loss of confidence, and that's a lesson Sony learned the hard way. In spring of 2011, hackers downloaded user account information for millions of PlayStation Network members -- including credit cards and password -- and withheld the news from users for several days. Users and the media responded just as you'd expect: with anger and frustration.

Apple's developer data breach doesn't look to be nearly as serious as Sony's, and information about what happened was released within three days instead of after more than a week. Apple may have to deal with some anger for that delay, but in the end waiting was the right thing to do. Developers have more information about what's happening, and Apple doesn't have to deal with ongoing questions it can't answer.

Apple may have a black eye over this data breach, but it isn't as bad as it could've been had the company come forward last Thursday without any real information to share. It's all about damage control, and while Apple will have to deal with some public backlash, it could've been far worse for the company. This time, waiting was the right thing to do.