Stolen iPhone turns into financial and data loss nightmare for traveling exec, lawsuit alleges
Two days before Christmas in 2023, Michael Matthews, a Minnesota executive, was traveling in Scottsdale, Arizona, when his iPhone was stolen by a pickpocket.
Anyone losing their phone suffers a loss, but what happened to Matthews afterward has been a nightmare, all as laid out in the complaint Matthews filed against Apple Inc. on Tuesday in federal court in San Francisco.
According to the filing, immediately after the theft, Matthews contacted police in Scottsdale but it was too late; by that time the thieves had already hacked into his phone.
Matthews doesn't know how the thieves got his iPhone password but presumes that they observed him opening his phone beforehand and were able to see the numbers he typed in.
Once the thieves got into his iPhone, they disabled Matthews' ability to access it remotely, then took control of his Apple ID and iCloud accounts.
What that meant for Matthews was his entire digital life was now in the hands of the thieves.
That included 30 years worth of private and personal data, including "Social Security numbers, passport data, credit cards, bank accounts, brokerage accounts and every website user ID and password that Mathews had saved in the iCloud Key Chain, including work files, research, tax returns, photos, music, etc," the filing said.
The loss was far greater than just the material on his phone. Once the thieves had gained control of his Apple ID, they had access to all of his data residing on the Apple platform.
Matthews' lawyer, K. Jon Breyer of the Minneapolis firm Kutak Rock LLP, explained that once they were into the phone, the thieves "would have access to Apple Pay so they could go on and use that to buy whatever they want. Apple connects to your other accounts. You save passwords and usernames through a chain, all of which they can use to access your various bank accounts or financial information."
Breyer said that what created the nightmare for Matthews is that the Apple operating system has an optional "recovery key" -- a 28 character alpha-numeric code -- that, if enabled, allows the owner to go to Apple and recover his or her accounts and data.
That could have protected Matthews, but immediately after the thieves hacked into the phone, they allegedly reset the recovery key. And once the recovery key was reset, the new code would be only known to the thieves (and Apple).
Breyer said, "The recovery key is an extremely powerful tool that hackers have exploited. Apple has been aware of this security flaw for some time but has done nothing to correct it and, to make matters worse, has refused to allow victims to regain access to their accounts despite the flaw."
He refers to the cruel irony that even though use of the recovery key is optional, if it is enabled, Apple's policy is that it then becomes the exclusive way to recover accounts. Matthews, not knowing the new recovery key, could not recover his accounts that way and, according to Breyer, Apple's policy is that they will not let him prove his identity any other way.
In other words, Matthews, the owner, is out of luck.
Breyer said he does not know how many other people have experienced the same issue, but said that a similar situation arose in New York in 2022 and according to widespread media reports, the iPhone owner in that case offered to fly to Cupertino to prove his identity, but Apple reportedly refused.
Breyer knows of no other litigation that challenges Apple's policy.
The way Breyer sees it, "Apple has decided to support the hacker and not their user."
In his view, Apple has made the wrong choice.
"Apple has made a policy decision to assist and perpetuate the lawlessness of criminals over the ownership and privacy rights of its users," Breyer said.
He says that Apple's policy "aids the hackers in their criminal activity," and results in a variety of claims against Apple, including invasion of privacy, civil conspiracy, and the infliction of emotional distress, all of which are set out in Matthews' court filing.
The lawsuit not only seeks to get Matthews' data back, but requests that the court award damages in excess of $5 million.
A request to Apple for comment on the lawsuit was not immediately answered.