Apple hack traces back to third-party provider
CALIFORNIA, UNITED STATES — In a significant security breach, Apple’s systems were compromised, leading to the theft of $2.5 million in gift cards and $100,000 in products.
The culprits — a former Apple security researcher and an associate — exploited a vulnerability in the system of a customer support provider contracted by Apple.
The unnamed contractor, referred to as “Company B” in court documents, inadvertently became the hackers’ gateway to Apple’s internal network. The breach not only resulted in substantial financial losses for the contractor, estimated at over $3 million but also highlighted the risks inherent in third-party partnerships.
According to a report, the hackers used a password reset tool and the internet to access the contractor’s systems, which had direct connections to Apple’s network via a VPN. They manipulated an internal Apple database and a program called “Toolbox” to create and manage fraudulent orders.
This incident underscores the warnings cybersecurity experts have been issuing about the potential vulnerabilities third-party vendors introduce.
Apple itself had previously acknowledged the dangers of such vulnerabilities in a December 2023 report, cautioning that hackers could exploit third-party systems to access data across multiple organizations.
In an interview with Nearshore Americas, Lisa McStay, COO at Contiuity2, pointed out that weaker cybersecurity defenses are often found among third-party partners compared to their larger clients.
McStay added that it is essential to scrutinize the service provider’s security practices and insist on frequent security evaluations.
Echoing this sentiment, Nic Adams, CEO of cybersecurity firm Orcus, emphasized the importance of diligent oversight and auditing of third-party partners. He advised that companies should restrict their partners’ access to systems, adopt a multi-layered security strategy, and include precise security stipulations in service agreements.
Adams also suggested that service providers should conduct regular security checks, provide continuous security training to their staff, enforce strict access controls, and maintain open communication with clients regarding security measures and any incidents that occur.
