Pickpocketed and Powerless? Tech Exec’s $5M Lawsuit Accuses Apple of Withholding iCloud Data
Credit: spinetta / Adobe Stock
Toggle Dark Mode
Here’s an interesting scenario. Michael Matthews is a 53-year-old man, originally from Minnesota, who runs a technology consulting firm. While in Scottsdale, Arizona, a pickpocket got the better of him and stole his iPhone. To make matters worse, the thief got into the iPhone and changed the Recovery Key.
As a result, Matthews lost access to his photos and other precious data, including research related to his company. This isn’t the first time Apple has had to answer for the same situation, and it’s one of the reasons the company introduced Stolen Device Protection.
Matthews claims Apple is withholding access to two terabytes of data. Can you imagine suddenly losing your iCloud for good? Many of us have a decade or more of personal photos, documents, and other data that’s safe and sound in iCloud. Maybe you’ve had a similar experience. Still, $5 million is a lot. This figure likely comes from Mathews’ claim he was forced to shut down his consulting firm following the loss.
From what Matthews’ lawyer told The Washington Post, Apple is refusing to to reset the Recovery Key or allow access to his accounts and data despite having provided “substantial and unquestionable evidence that the accounts and data in his Apple accounts are his.”
Here’s what likely happened: If you have Advanced Data Protection set up on your iPhone, you need the Recovery Key to access your iPhone. Without it, you’re toast. According to our earlier reporting, “once a thief has unlocked the iPhone using the passcode, it takes only a few moments to reset the victim’s Apple ID password by going into the Settings app. Once that’s been accomplished, the bad actor can then disable “Find My iPhone” on the handset, preventing the device’s owner from tracking its location, while also preventing the victim from remotely erasing the device.”
Still, why would Apple spend the resources defending a lawsuit in the face of irrefutable evidence? Perhaps they’d have to create an entire department to handle requests like this. That would come at a considerable expense and probably open the door to even more fraud and data theft.
There’s been some speculation that Matthews was using Apple’s Advanced Data Protection. If this is true, Apple wouldn’t be able to provide Matthews with a usable copy of his data, as it would be stored with end-to-end encryption. However, it’s unclear if that’s the situation here, as Matthews’ lawyer told the Post that Apple has “never expressed to us that they are unable to give the information back.”
The assumption seems to be based on the mention of a Recovery Key. However, while this is mandatory for an account with Advanced Data Protection (ADP) enabled due to the higher risk of data loss from a forgotten password, any iCloud user can add a Recovery Key to their account, so just because Matthews had one doesn’t mean he was using ADP.
More than two years ago, an Apple spokesperson stated they are “always investigating additional protections against emerging threats like this one.” This led to the introduction of Stolen Device Protection in iOS 17.3, an optional feature that makes it considerably more difficult for a thief to compromise a person’s data by requiring Face ID or Touch ID to change any critical security information or settings such as resetting passwords, passcodes, or recovery keys, or turning off Find My. Trying to change any of these settings when away from a familiar location will also require that you authenticate with Face ID or Touch ID twice, at least one hour apart, to make sure you’re still in possession of your iPhone.
Unfortunately, Stolen Device Protection is a relatively new feature, and it’s not enabled by default. Matthews story is a good example of why you should switch it on right away. In addition to protecting you from identity thieves who get their hands on your iPhone, it also limits many other places where your passcode can be used in place of Face ID, which can help defend your private information against nosy friends and family members.
In addition to turning on Stolen Device Protection, other best practices including use Face ID or Touch ID to unlock iPhones and hiding your screen when entering your passcode. Also, it’s recommended to change the standard four- or six-digit passcode to a longer alphanumeric passcode. This can be done by going to Settings > Face ID & Passcode > Change Passcode and tapping the small link at the bottom
I know some people who don’t use iCloud but back up their device to separate cloud storage or a physical drive. I always thought that was a little overboard. Is it time to reconsider? Possibly. If you’re running a business, it’s wise to consider keeping your business data separate from your personal data. Depending on the type of business data you’re storing, you may be required to comply with additional safeguards for storage, backup, and recovery. Every situation is unique. You’d be wise to consider worst-case scenario and make sure you’re prepared. Good luck, Mr. Matthews.
