Why It's a Good Thing Apple "Bombed" the Developer Site
Why Taking the Apple Developer Sites Down was a Good Thing
Apple's decision to "blow up" its developer websites and address security issues through a complete rebuild, despite causing significant economic losses, was absolutely the right choice.
The Apple Developer Center was shut down on July 18 due to a potential security breach or attack, and as of this writing, it has not been fully restored. In a statement, Apple said that the incident may have led to the leakage of information such as the names, mailing addresses, and email addresses of 275,000 Apple developers. However, Apple emphasized that sensitive personal data was encrypted and could not be accessed. (Editor's note: Turkish security expert Ibrahim Balic claimed responsibility for the attack and published a video on YouTube exposing a cross-site scripting (XSS) vulnerability in Apple's developer website.)
Apple is notoriously tight-lipped about security issues. For example, in this case, three days after the incident, Apple publicly stated that the site was closed due to "maintenance issues." It wasn't until the weekend that Apple provided an explanation for the shutdown and outlined the scope of the data breach. Another less-noticed announcement detailed what they were doing to address the issue:
In order to prevent such security threats from happening again, we have conducted a comprehensive review of our development systems, updated our server software, and completely rebuilt the entire database.
In other words, Apple has decided to accept the significant losses caused by the prolonged shutdown of its network services in order to thoroughly eliminate security risks, threats, and vulnerabilities through a complete rebuild. To quote a famous line from the movie *Aliens* by protagonist Ellen Ripley: Apple decided to "nuke the entire site from orbit," because "it's the only way to be sure."
This kind of unprecedented, all-encompassing response is rare, especially when it is still unclear whether a real breach occurred. A UK-based security researcher, Ibrahim Balic, claimed that he discovered the vulnerability in the website, reported it to Apple, and subsequently they shut it down. He also claimed that he did not infiltrate the system or access any data. Regardless of whether a breach actually occurred, the scope of the data breach (or potential breach) was limited, which is why Apple's decisive action deserves praise. Few companies can afford to endure long-term downtime to do the right thing and rebuild (Editor's note: unless the site requires registration with the Ministry of Industry and Information Technology). Another comparable incident is Sony's response to the 2011 PlayStation Network (PSN) hack, during which Sony took the site offline for 25 days. In that PSN security incident, there was confirmed data leakage—77 million user records leaked, including details of 12,000 user credit cards.
Sony stated that the breach cost them at least $171 million, a large portion of which was due to the downtime required to rebuild the system. Despite this, Sony made the right decision to accept the downtime, and no further breaches occurred afterward. Unfortunately, Sony did not receive the recognition they deserved for their actions.
Therefore, Apple's security team also deserves credit for taking similar action to Sony's—not just patching a single vulnerability in a chaotic infrastructure but taking the time to rebuild the system to make it more secure. If more companies responded to breaches in this manner, our industry (technology, privacy, security, and cyber threats) would become much better off.
