On Monday, Weibo user MeiguoWangshi1999 posted a detailed account of alleged data theft and extortion by a worker on Apple's official technical support hotline after they called for help with the company's iCloud service.
[Latest update] @MeiguoWangshi1999 (@美国往事1999): Apple contacted me this morning and said that the employee concerned had already been fired, but refused to disclose any details. They also refused to confirm whether the employee had stolen copies of my personal information and data, and whether he had exploited it. In the end, they didn't say enough. So this is the attitude and conduct of the world's most highly valued tech company! They fired the employee so quickly, but still don't even know how many people's personal information and data was stolen and leaked. Apple users should all be wary! [Chinese]
The purported incident, they noted, took place on the very first day after management of the service was handed over to a Chinese partner, the provincial government-owned Guizhou Cloud Big Data (GCBD), in compliance with the new Cybersecurity Law introduced last year. The move sparked concerns at the prospect of Chinese authorities' access to user data and a fresh wave of criticism of Apple's acquiescence to Chinese demands, following the removal of VPN and other apps from its Chinese App Store, and public appearances by its CEO Tim Cook seen as endorsing China's system of internet controls. MeiguoWangshi1999 has since downplayed the link between the reported incident and the Guizhou handover, and many commenters have focused the blame on Apple instead of its local partner. However, iCloud's Chinese terms and conditions indicate that GCBD took on technical support together with management of the service.
CDT has asked Apple to confirm MeiguoWangshi1999's claim that an employee was fired over the incident, but has not received a response. We have not been able to independently verify the following account. On February 28, MeiguoWangshi1999 says, they called Apple's customer service hotline (400 666 8800) about some iCloud-related issues. They were transferred to a senior technical support worker with "a very perfunctory and evasive manner," whose unhelpfulness led to an argument.
That evening, the worker reportedly called back from a Xi'an cellphone number. He got straight to the point: he was the support worker they'd spoken to that afternoon, and had used his position to access their iCloud account and make copies of their personal data. He sent emails to each of the author's three email accounts (163, Hotmail, and iCloud) from his own QQ account, demanding that they add him as a contact on QQ within one hour, or else he'd leak their personal data. He warned them not to use their Apple equipment—phone or computer—and said he could cause them personal and professional inconvenience.
They added him on QQ, but he didn't respond. They called his phone, and got through, but the worker made no further reference to the earlier calls, perhaps afraid of being recorded. After he hung up, the author called again, but his phone had been switched off. Later, they went online to check their email and found that their Hotmail password had been changed and they couldn't log in, but were able to reset it through the password retrieval function. Nevertheless, they were certain that their Hotmail account had also been compromised. There was a threatening letter from the tech support employee in both the Hotmail and iCloud accounts.
The author said that they usually use their 163 email account, hadn't used their Hotmail in years, and had basically never used their iCloud account, so they didn't know how the intruder had known about them all, or how he had obtained their full name and phone number. The next day, however, they checked their Apple ID profile page, and found that the name and addresses were all listed there. They'd previously received a notification from Apple at their 163 email account that their Apple ID had been used to log into iCloud, which wasn't prompted by anything they'd done themselves. This, they say, proves that their iCloud account was illegally accessed. They have noted elsewhere that two-factor authentication was not enabled.
Their iCloud storage contained a large amount of important personal data including contact, photos, emails, cloud files, notes, and so on. Their notes contained usernames and passwords for several financial and other online services. They still don't know how much of this was copied. It's shocking and alarming, they wrote, that at a time when everyone is paying more attention to information security than ever, such a serious and unpleasant incident could happen on the very first day after iCloud's handover.
MeiguoWangshi1999 later made repeated calls to Apple's customer service line to report what had happened, speaking to several managers in an effort to discover the alleged thief's identity, how much data had been stolen and whether it had already been exploited, and whether their iCloud account was now secure. These questions were rebuffed on confidentiality grounds. A manager from an unidentified higher department said that the now ex-employee's job should not have given them access to all the information they appeared to have accessed, and suggested that they had somehow obtained it through external channels. MeiguoWangshi1999's account concludes:
It's unacceptable for customer service staff of the world's most celebrated and highly valued tech company to use their positions to steal user data and use it to threaten and extort someone. The perfunctory and arrogant attitude and behavior Apple displayed in refusing to take responsibility while handling the incident afterwards is also startling and maddening. Now, I hope all Apple users can see this post, and pay attention to and protect their personal data, even if that was useless this time. I also hope the relevant official departments can investigate and deal with Apple's poor conduct in this case.
Finally, I have already reported this to the police and registered the case. [Chinese]
Sandra Severdia contributed to this post.