iCloud celebrity photo hack: Are we too quick to trust cloud storage?

After the theft of naked celebrity photos from Apple's iCloud, should we all be more careful about what we're - perhaps unknowingly - storing in the cloud?

The theft of hundreds of private photos belonging to well-known celebrities - including naked pictures of The Hunger Games star Jennifer Lawrence - has left Apple facing searching questions about the security of its iCloud service.

The Apple cloud storage system - which automatically backs up documents and images stored on people's iPhone and iPad devices - was broken into by hackers, who then shared the private images of celebrities that they stole on notorious messaging board 4Chan. The photos went viral, with reports of the image thefts being spread via social media and the wider web.

But while the teenage boys of Reddit clamoured to gawp at photos of naked celebrity women, the real issue here is arguably this question: are people too quick to trust the security of cloud storage services like iCloud? After all, this episode might not involve sensitive corporate data, but it still represents a massive data breach for those who've had their private photos exposed.

"It is a stark reminder of the potential consequences of having sensitive material lying around in the cloud," said Chris Boyd, malware intelligence analyst at Malwarebytes, who pointed out that individuals may not be aware that their smartphones are automatically backing up their files to a cloud server.

"With today's devices being very keen to push data to their own respective cloud services, people should be careful that sensitive media isn't automatically uploaded to the web, or other paired devices," he said, going on to warn that these services might also be keeping hold of deleted files, too.

"People should also investigate the deletion procedures for online storage. Many services enable you to 'undo' deletions, which could cause problems in certain situations."

Eduard Meelhuysen, EMEA vice president of Netskope, told Computing that while many organisations don't allow the official use of applications like Apple's iCloud, the popularity of the iPhone means that it's always possible that employees are using it to store corporate data.

"Even if you don't think your organisation is using iCloud, your employees undoubtedly are. Apps like iCloud, which are predominantly aimed at consumers, are such an essential part of users' lives that blocking their use within a business environment isn't really an option," he said, adding that the iCloud breach means "questions around security need to be addressed".

That, Meelhuysen argued, means teaching employees about the risks of uploading files - whether corporate or personal - into the cloud.

"Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours, such as the upload of personal identifiable information or the sharing of sensitive content outside of the company. That way you can mitigate risk while enabling the use of cloud in your business," he said.

Stefano Ortolani, security researcher at Kaspersky Lab, argued that there is an inherent risk with using cloud storage because the user has no direct control over where and how the data is stored.

"The security of a cloud service depends on the provider. However, it's important to consider that as soon as you hand over any data (including photos) to a third-party service, you need to be aware that you automatically lose some control of it. This is also the case for when you upload something online," he said.

Ortolani said that individuals need to take more care over what information they choose to store in the cloud.

"In order to make your private data more secure, you should cherry-pick the data you store in the cloud and know when the data is set to automatically leave your device," he said.

"For instance, in iCloud there is a feature called 'My Photo Stream', which uploads new photos to the cloud as soon as the device is connected to Wi-Fi. This is to keep photos synchronised across all your devices. Disabling this option might be a good starting point to get a bit more in control," he said.

Malwarebytes' Boyd said that for total peace of mind, there is only one option: "The only real way to keep sensitive data secure is not put it online in the first place."

At the time of writing, Apple had not issued any comment on the images reportedly stolen from its iCloud Service.