Famous singer Adele, known for hits such as "Hello" and "Rolling in the Deep," has joined the ranks of celebrities who have been subjected to the theft of personal photos.
An unidentified hacker accessed the email account of Adele's fiancé, Simon Konecki, and obtained private photographs of the singer during her pregnancy and childhood as well as shots of the couple's three-year-old son, according to CBS News. The theft became known when these photos were posted to a private Facebook group maintained by Adele fans, one of whom notified Adele's management team to report the incident. Adele was understandably outraged over this ordeal and the photos were removed from the group.
Although the full details aren't yet known, this doesn't appear to be related to iCloud backups, as was the case with other leaked celebrity photos. On the surface it appears the hacker specifically targeted Konecki's email account to see if it could be compromised. It's possible they either managed to guess Konecki's password, used security questions to obtain access to the account (this was how Sarah Palin's email account was hacked several years ago), or perhaps obtained access to a device owned or used by Konecki upon which his email credentials were cached.
I recently wrote an article covering best practices for mobile device management which include tips for mobile devices such as using complex passwords, screen locks, automatic wiping after five or 10 failed logon attempts and encrypted storage. However, there are some other lessons to be learned from Konecki's e-mail intrusion:
- If you're a high-profile target (or engaged to one) expect the crosshairs to be on your forehead and act accordingly. This is why the Secret Service wanted President Obama to give up his Blackberry after he was first elected (Obama fought that and won, but you can see the need for heightened security).
- Use common sense and select strong passwords which are rotated frequently.
- Never save credentials on a device.
- Never write down, store in plain text or provide your password to anyone, even if they claim to be from your IT support group or law enforcement.
- Don't store confidential information in email; download it to a device and use encryption to safeguard it. My email provider, Fastmail.fm, allows me to delete attachments from messages while containing the text, something I find extremely helpful.
- This may sound counter-intuitive, but I recommend choosing unique answers to security questions which have no bearing on reality, so that someone armed with the answers cannot breach your account. I store all my passwords and answers to security questions in a password manager called KeePass; it's free, easy to use, and allows storing of URLs, notes, previous passwords and other functions to help manage your authentications. I use Dropbox to sync my KeePass database to all my devices so I can access it anywhere, and it's protected with a complex master password that will die with me.
Had Konecki followed the above tips I find it unlikely Adele would have wound up subjected to a privacy breach, albeit a fairly minor one.
Tim Erlin, director of IT security and risk strategy at Tripwire, shared his thoughts on the latest celebrity hacking.
"This isn't the first time we've seen celebrity photos as the target of a cyber attack, and it likely won't be the last. With the way that devices and services are interconnected today, it can be difficult to understand which data is shared with others or with third parties. Any time data, including photos, leaves your device, it's put at greater risk. When you share data with others, whether via an app or email, you're implicitly putting trust in their security. Even if you've chosen a strong password and kept it secret, that other person may not have been so diligent," Erlin said.
As far as what Adele could have done to better protect her privacy, Erlin said, "While there's plenty that Adele could have done differently, there's not much that she should have done differently. Choosing not to share your photos will undoubtedly reduce the risk of having them stolen through a cyber attack, but it's hardly realistic advice for most people."
The tech industry is working on ways to improve data security, with features such as multi-factor authentication, but it can be difficult to get customers to adopt new security controls, Erlin said.
Erlin pointed out that breaking into someone's email or device and copying their private data is a crime. There's no doubt that the incident will be investigated by law enforcement and the perpetrator prosecuted, if caught.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.