I recently met the CIO of a large technology company on the banks of Stickle Tarn below Pavey Ark in the Lake District. We both had dogs that we were restraining from leaping onto the frozen tarn and worrying about a third dog that was right out in the middle of the ice. We turned to each other to comment on the idiocy of allowing the dog onto the creaking ice and realised that we had meet in 2012 at a conference. We decided to do the walk back down to the New Dungeon Ghyll Hotel together and chat over a pint or two. During our descent I (rather boringly!) asked what was his number one concern right now in a work context. The reply was not what I was expecting although you would always assume it is in the top 10 worry list items for any CIO, it was data loss. They had noticed an increasing level of attack on their network and web facing servers over recent months and were working on the premise that it is primarily aimed at intellectual property theft rather than the data and systems they host for clients. After an interesting discussion of the security issues and approach being taken on which I must remain silent we moved on to other topics.
Over the last few pints before we parted company we talked about the shadow IT and budget raider issues I blogged about in my last post. I was not surprised that he confirmed the issues were real to him and ones he was experiencing within his company. He was more bullish about handling the challenges that some other CIOs with whom I’ve discussed the topic but agreed they were current and requiring time and attention to address.
Later that week I read a report published by KPMG on data loss which I was planning to talk about in this post. However, earlier today I read a great blog post on the same topic/report by Sarah Green on the Harvard Business Review site so will instead leave you to read it here.
As a result I have room to talk about a related bee in my bonnet instead! The point in the report on technology companies being one of the primary targets for hackers was telling as I am convinced that Apple have been hacked.
I think the system relating to Apple iTunes gift cards has been compromised. I was recently given a £15 gift card which when I tried to redeem it was declared by iTunes to have “already redeemed”. Now this was a brand new untouched card from which I had personally scratched off the code cover myself so I knew that this could not be true, unless the card was a duplicate or the underlying system compromised. Expecting that a) Apple would be helpful and refund my money and that b) this would prove to be an isolated issues caused by a system glitch I contacted Apple and searched the support forums.
What I found was a number of people posting with similar stories of woe across different countries and that the unhelpful implicit “well you must be mistaken as that code is reporting as already redeemed” position taken by Apple support was consistent. My card was apparently redeemed in June 2012 so clearly my trying to redeem the same code in January 2013 meant I was the one at fault. There is even a video of a chap posted to the Apple support forum using a clearly virgin card and obtaining the “already redeedmed” message; last I read he had made no progress in having Apple accept that there was a problem and he was not trying to re-use an old card. To my shame I gave up arguing with Apple as for £15 it was simply not worth the hassle (and as it was a gift I lacked a receipt to prove date of purchase), however I certainly will not be buying any iTunes gift cards in the future and I remain convinced that their system has been compromised in some way. If you are interested here is one of the support forums where people are reporting the issue.
It would seem that denying and ignoring the issue appears to have been a successful strategy for Apple to date. I suspect that they will probably ride out the “noise” without any real publicity or PR damage. However, I do think that they are skating on thin ice with this approach and eventually this type of customer angst does rebound and cause damage. Denial of security breaches is tempting but ultimately transparency, acknowledgement of the issue and a declared plan to correct is probably the better strategy.