Apple User Sues After He Can't Access Account Following iPhone Theft
An Apple customer has been denied access to 30 years’ worth of his data because Apple allowed hackers to exploit a known flaw in the company’s data security that allows unauthorized third parties to gain access to victims’ accounts and change the recovery key, alleged a complaint Tuesday (docket 5:24-cv-00272) in U.S. District Court for Northern California in San Jose.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Michael Mathews of Maple Grove, Minnesota, had his iPhone pick-pocketed in Scottsdale, Arizona, Dec. 23, said the complaint. Though Mathews immediately filed a report with local police, “it was too late,” and thieves had already hacked into his phone, reset the recovery key and took control of Mathews’ Apple ID and iCloud accounts, the complaint said.
The hackers now have access to all of Mathews’ Apple accounts, 2 TB of his personal and private data, including Social Security, credit card and passport numbers, bank and brokerage account information and every website user ID and password Mathews had saved in the iCloud Keychain, including work files, research, tax returns, photos and music, the complaint said.
The iCloud also contains work documents that are the “foundation” for Mathews’ technology business, including research, presentations, content and experiences, the complaint said. With the loss of his Apple ID and iCloud content, Mathews' “entire 30-year document and knowledge base, and all the related tools, development efforts and products related to his company are essentially 'gone,'” said the complaint.
With knowledge of an Apple device passcode, a hacker can “easily reset” the Apple ID in the settings app, even if Face ID or Touch ID biometric security features are enabled, the complaint said. A hacker can then turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud, it said.
The hacker can then use the stolen device to set or reset a recovery key, a randomly generated 28-character code that’s required to regain access to an Apple ID, and lock the owner out of his Apple accounts. The hacker can use the information stored in the victim’s Apple accounts “to steal from the victim, open [fictitious] accounts in their name, and block the victim from gaining access to the accounts,” it said.
The recovery key “is an extremely powerful tool that hackers have exploited,” the complaint said. Apple has been aware of the security flaw “for some time but has done nothing to correct it" and has "refused to allow victims to regain access to their accounts despite the flaw,” it said. Apple’s policy and the design of its security features have “long been known to Apple to be flawed, but they do nothing to fix it,” it said.
Apple gives users “virtually no way back into their accounts” without the recovery key, a key it knows “the user cannot obtain,” the complaint said. Apple “has made a policy decision to assist and perpetuate the lawlessness of criminals over the ownership and privacy rights of its users,” it said. Apple's actions are “inexplicable and unconscionable and cannot stand," the complaint said.
Mathews asserts claims of invasion of privacy, conversion, trespass to chattels, civil theft, unjust enrichment, intentional and negligent infliction of emotional distress, civil conspiracy and violation of California Business and Professional Code section 17200. He seeks injunctive relief in the form of reestablishing his access to, and exclusive dominion over, his data and Apple accounts; punitive and treble damages; restitution; attorneys’ fees and costs; and pre- and post-judgment interest. Apple didn't comment Wednesday.