As Bloomberg reports, the unnamed hacker – who was 16 years old when the security breaches began – exploited a VPN designed for the use of authorized parties to access Apple’s internal systems. With assistance from an accomplice, “he later sent a computer script to the system which created a secure shell tunnel – a method of accessing systems and bypassing firewalls – enabling them to remove data more quickly.”
In all, 90 GB of sensitive data is thought to have been exfiltrated, including internal security policies and authorized login keys.
Unfortunately for the unnamed youth, his activities were spotted by the tech giant. Apple informed the FBI, which in turn informed Australian law enforcement. This led to a police raid at his home last year.
Prosecutors described what investigators found on the youth’s seized computer hardware:
Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems. A mobile phone and hard drive were also seized and the IP address … matched the intrusions into the organisation. The purpose was to connect remotely to the company’s internal systems.
Furthermore, exploration of the laptop’s contents uncovered a folder named “hacky hack hack” containing the stolen files.
If that sounds like something of a childish error, consider that the Melbourne private schoolboy is also said to have bragged about his hack with friends via WhatsApp.
The teenager, who is now 19, was described to be a “fan” of Apple who “dreamed” of working for the company one day and found accessing its internal networks “addictive.”
Apple was at pains to point out that customers’ personal data had not been put at risk by the security breach:
We vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. In this case, our teams discovered the unauthorized access, contained it, and reported the incident to law enforcement. We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.
After showing remorse and assisting the authorities with their inquiries, the young man has been given an eight-month probation order, and no conviction will be recorded. He has reportedly been accepted for a university course where he plans to study criminology and computer security.
It’s a lucky escape for the teenager. If he had been just a couple of years older, he would have been prosecuted as an adult and could have faced a maximum sentence of 10 years in jail for unauthorized modification of data and a further two years imprisonment for unauthorized access.
Other young people with IT skills would be wise to take this story as a warning – don’t follow this youngster’s example. If you want to work for a technology company, don’t break the law to gain access to their systems. Prove your skills in a legitimate, legal way and perhaps apply for an internship.
One thing I’m fairly confident about is that if Apple has to choose between a candidate who hacked into their systems for months and stole data,and one who didn’t, they are more likely to choose the candidate who has proven themselves to behave maturely and ethically.