Posts Tagged ‘hackers’

Prague hackers’ congress to address ‘financial freedom’

October 6, 2017

AFP

.

© GETTY IMAGES NORTH AMERICA/AFP | Freeing up finance, one crypto currency at a timePRAGUE (AFP) – 

A hackers’ congress launched in Prague on Friday will discuss new cryptocurrencies and other tools to combat the erosion of financial freedom around the world, organisers said.

“Technology will allow users to shake off economic dependence on the state and achieve financial and personal freedom,” co-organiser Martin Sip said in a statement at the start of the three-day event.

Organisers cited the anonymous cryptocurrencies Monero and Zcash, crypto-markets and decentralised exchange offices as examples of tools that could boost financial freedom.

Amir Taaki, a British-Iranian hacker and expert on the bitcoin cryptocurrency, told reporters in Prague that the western world was going through a social crisis rooted in its economic system.

“Today, most of the work that people do in their lives has absolutely no meaning and no purpose whatsoever,” said Taaki, who founded Britcoin, Britain’s bitcoin exchange.

“What is guiding this mechanistic system that uses human beings as objects is… a system of financial enslavement,” he said, adding that the system wielded “a really sinister form of social control”.

“Our task is to… challenge this system of hierarchy and the state to restore back people’s sense of autonomy and free life.”

“We have to find new forms of economic organisation… (and) bitcoin is the biggest tool that we have to challenge the power of the central banks today.”

Wearing a cap, sunglasses and a mask at Prague’s Institute of Cryptoanarchy, which is hosting the congress, a hacker nicknamed Smuggler said freedom suffers in a financial system dominated by central banks.

“We’re living in a world where we don’t really have money in the sense that we can just transact, but we always have money with permission,” he said.

Earlier this week, reports said the US-based investment bank Goldman Sachs was looking into ways to trade bitcoin to meet client demand.

This would mean a breakthrough as large banks have so far avoided trading in bitcoin due to its reputation as a conduit for illicit activity.

But financial companies have been active in the development of “blockchain,” the underlying technology of bitcoin, which is seen as a potentially major breakthrough.

Bitcoin reached the psychologically important milestone of trading at $5,000 on September 1. It has been retreating since then, trading at $4,375 on October 2.

Advertisements

SEC Discloses Edgar Corporate Filing System Was Hacked in 2016

September 21, 2017

The SEC disclosed that hackers penetrated its electronic system for storing public-company filings and may have traded illegally on the information.

Breach may have allowed trading that profited from nonpublic information, regulator says

.

WASHINGTON—The top U.S. markets regulator disclosed Wednesday that hackers penetrated its electronic system for storing public-company filings last year and may have traded on the information.

The Securities and Exchange Commission’s chairman, Jay Clayton, revealed the breach in an unusual and lengthy statement issued Wednesday evening that didn’t provide many details about the intrusion, including the extent of any illegal trading.

The SEC said it was investigating the source of the hack, which exploited a software vulnerability in a part of the agency’s Edgar system, a comprehensive database of filings made by thousands of public companies and other financial firms regulated by the SEC.

The commission said the hack was detected in 2016, but that regulators didn’t learn about the possibility of related illicit trading until August, when they started an investigation and began cooperating with what the SEC called “appropriate authorities.”

A spokesman for the Federal Bureau of Investigation declined to comment on the SEC disclosure.

The commission’s disclosure follows a major breach of Equifax Inc. that affected 143 million Americans and warnings from executives of the New York Stock Exchange and Bats Global Markets Inc. that a planned data repository of all U.S. equity and options orders could become a juicy target for hackers.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Mr. Clayton said in a written statement. “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

The intrusion shows how confidential information that can yield easy trading profits has increasingly become a target of hackers.

The SEC in December sued three Chinese traders who allegedly earned more than $4 million in illegal gains after they stole information from the computer systems of Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies.

The SEC’s Electronic Data Gathering, Analysis and Retrieval system, or Edgar, is used by investors who access the online system to view companies’ earnings statements and other disclosures on material developments at companies. Some companies purchase and resell electronic feeds of the filings that cater to electronic and algorithmic traders.

Mr. Clayton’s statement didn’t identify the precise date of the intrusion or what sort of nonpublic data was obtained. The agency said the hackers exploited a vulnerability in part of the Edgar system that allows companies to test the accuracy of data transmitted in new forms. Many corporate filings are made public as soon as they are received through Edgar, although other forms may have to be reviewed first by SEC staff.

The SEC’s statement also didn’t explain why the SEC waited to reveal the breach until Wednesday.

SEC officials have sometimes indicated they could take enforcement action against a public company that misled investors about a significant hack that affected share prices.

Mr. Clayton, who is due to testify before the Senate Banking Committee next week, is sure to face questions about his own agency’s cyber vulnerabilities.

“We face the risks of cyber threat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks,” Mr Clayton said. “We also face the risks of actors attempting to access nonpublic data relating to our oversight, or enforcement against, market participants, which could then be used to obtain illicit trading profits,” he added.

The Edgar system, which was launched to equalize access to information among retail and sophisticated investors, has occasionally caused headaches for the commission. Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.

The system has also been exploited by traders who submitted fake corporate filings. In 2015, a 37-year-old man in Bulgaria filed a fake takeover offer for Avon Products Inc., which succeeded in sending the beauty-product company’s shares soaring but netted the mastermind just $5,000, regulators alleged.

Mr. Clayton’s statement acknowledged that the planned data repository, known as the Consolidated Audit Trail, could be targeted by cyber thieves looking to steal personal information of stockbrokers’ customers. The audit trail has been in the works for nearly seven years and the SEC approved its final design last year. However, exchange executives have recently cited the Equifax hack as evidence that the audit trail should be pared back, even if that takes away information that could help regulators spot manipulative traders more quickly.

Stock and options exchanges, as well as the Financial Industry Regulatory Authority, which oversees brokers, are due to begin reporting data to the repository in November.

Robert Cook, chief executive of Finra, also has questioned whether the audit trail should be scaled back in light of the Equifax data breach. Speaking Wednesday at a banking luncheon in Washington, Mr. Cook questioned whether the database designed to help regulators sort through flash crashes and spot market manipulation should include personal information about stockbrokers’ customers.

“Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it,” he said.

Write to Dave Michaels at dave.michaels@wsj.com

https://www.wsj.com/articles/sec-discloses-edgar-corporate-filing-system-was-hacked-in-2016-1505956552

Russia-tied hackers can gain control of power network: report

September 6, 2017

AFP

© Getty/AFP/File | In the past year the Dragonfly 2.0 cyber-espionage group has become “highly focused” on energy systems, the security firm Symantec said, and its hacking attempts accelerated in the first half of this year

WASHINGTON (AFP) – A Russia-linked cyber-espionage group has hacked into the controls of electricity distribution networks in the US and Europe, raising the risk of malicious, remotely-caused blackouts, computer security firm Symantec said Wednesday.Symantec said the group, dubbed Dragonfly 2.0, gained access to the operational systems in a number of energy operations in the United States, Turkey and Switzerland, “to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”

Symantec did not link Dragonfly 2.0, which has been around for several years, to any specific country. But other cyber security analysts and the US government say Dragonfly, also dubbed Energetic Bear, has Russian roots and links to the Russian government.

It said Dragonfly 2.0 had been known to target Western infrastructure in recent years, attempting to access computer systems to install its own backdoor entryways through phishing ruses.

But in the past year it has become “highly focused” on energy systems, Symantec said, and its hacking attempts accelerated in the first half of this year.

“This is clearly an accomplished attack group,” Symantec said.

“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”

The U.S. Navy is staffed by humans

August 26, 2017

By Ravi Velloor
The Straits Times

Four days after the USS John S. McCain suffered major damage in a collision while on approach to Singapore, questions swirl about the manner of the accident, and its reasons.

That it should have come so soon after a sister vessel the USS Fitzgerald suffered a similar accident while leaving a Japanese port, has raised a bunch of troubling questions.

As they say, the first time may be an accident and the second coincidence, but three becomes a pattern.

In the US Navy’s case – or more specifically, the 7th Fleet’s case – there have been not three, but four costly mishaps just this year.

Two other ships currently deployed to the Asia-Pacific, the USS Antietam that ran aground in Tokyo Bay and the USS Lake Champlain that struck a South Korean fishing boat, suffered damage this year.

That certainly makes for a pattern. With a US warship calling in Singapore every three days or so, there is every reason for the Republic to take more than a little interest in what’s going on.

Naturally, conspiracy theories abound.

One line of thinking is that hackers may have corrupted the massive computer systems of the John S. McCain and perhaps, other vessels.

In the case of the John S. McCain, that does not seem the case. Admiral Scott Swift, commander of the Pacific fleet, seems to have ruled out a cyber attack in near categorical terms.

Adm Swift should know, of course, but George Kurtz, former head of technology at MacAfee who now owns CrowdStrike, one of the world’s top cyber security companies, had a more nuanced view.

Image may contain: outdoor

USS John S. McCain sustained damage to her port side, which is the left side of the vessel facing forward. Photo was taken off Changi Naval Base on Aug 21, 2017. ST PHOTO: ​DESMOND FOO

 

While declining to speculate, he told me that any assessment of an incident of this nature would necessarily have to be placed in a geo-political context.

In the John S. McCain’s case, it had just completed a Freedom of Navigation Operation, or FONOP, in the South China Sea where it was repeatedly warned by Chinese vessels.

The current chatter in cyber security circles, he said, is that while the McCain’s computers may not have been compromised, it is probably worth examining if anyone could have tinkered with the GPS system to send her, or the other vessel, off course by a few hundred metres.

It is an interesting theory and not the first time it has come up for mention.

In the James Bond movie Tomorrow Never Dies, Pierce Brosnan is sent off by MI-6 on precisely such a mission: to block a power-mad media tycoon’s attempt to start the next world war by engineering an incident at sea. In that instance, a British man of war is diverted into the hands of what appears to be Chinese military, sparking fury in Whitehall.

While nothing can be ruled out these days, the likely explanation could be more mundane and hark back to the essence of the craft – the quality of seamanship.

All major navies of the world do suffer accidents. It is estimated that since World War II, the major navies would have together recorded at least 1,400 mishaps.

Closer home, in early 2014, the Indian Navy chief, Admiral DK Joshi, quit after a series of accidents involving his force. The costliest of those mishaps was the loss of a docked Kilo class submarine that sank after an explosion on board while loading missiles for a mission.

At the time, poor observance of protocols was cited as the reason. The larger pattern was one of falling standards, poor equipment, and inadequate training.

But the United States is considered the gold standard of the navy game. It has the best technology, whether for the turbines that provide the power below deck, or in the missiles and radars stacked above. Its warships are designed for far greater crew comfort, than, say, a comparable Russian craft. And it is the rare naval officer in the world who has not read up on the life and times of Admiral Hyman Rickover, father of the US nuclear navy, or wished to be like him.

Yet, the US Navy too is staffed by humans. And there is little doubt that its personnel have been under strain and its resources stretched.

The US Congress was recently informed that about 100 ships have been deployed every day since 2001, the year the US suffered the 9/11 attacks. Since its current strength is 277 vessels that makes for a massive utilisation ratio. This, naturally, tells on maintenance, crew rest and training.

While President Donald Trump has said he wants to take the navy to 350 ships, that is a long way away.

In the immediate future, the pressure on its resources will only grow since many ships are due to have completed their normal use cycle and come due for retirement, or scrapping.

http://www.straitstimes.com/opinion/us-navy-mishap-james-bond-or-poor-seamanship

Related:

.
.
.

HBO’s Hack: ‘Hollywood Is Under Siege’

August 11, 2017

The recent breach at the network highlights vulnerabilities unique to the entertainment industry

Image may contain: 2 people, ocean and outdoor

Aug. 11, 2017 5:30 a.m. ET

At a time when HBO should be relishing the record ratings of its hit drama “Game of Thrones,” executives there are instead are grappling with a hacker shakedown that could be a plot point on the network’s “Silicon Valley.”

The breach of the network’s systems that was disclosed last month is developing into a prolonged crisis. Hanging over HBO now is the daily threat of leaks of sensitive information, ranging from show content to actors’ and executives’ personal information.

The hack at HBO comes almost three years after a high-profile one at Sony Corp. and highlights persistent vulnerabilities unique to the entertainment industry. The pressing issue isn’t safeguarding credit-card numbers and account details. Instead, executives are worried about potential damage to intellectual property if television-show spoilers are made available before episodes are officially aired.

“Hollywood is under siege,” said Jeremiah Grossman, chief of security strategy for cybersecurity company Sentinel One. “It seems easy to hack a network, and they perceive that they can make money doing so.”

Already, scripts of “Game of Thrones” episodes have been leaked by the hackers, whose leader calls himself “Mr. Smith.” Also made public were episodes of other shows, including comedies “Ballers” and “Insecure,” and a month’s worth of emails from an executive.

When the hackers came forward late last month, an HBO technology-department employee sent them a letter offering $250,000 to participate in the company’s “bug bounty” program, in which technology professionals are compensated for finding vulnerabilities, according to a person familiar with the matter.

HBO was buying time with that response and isn’t in negotiations with the hackers, the person said. The hacker has demanded a ransom of around $6 million.

The network has also been working with the Federal Bureau of Investigation and other law-enforcement agencies and cybersecurity firms to address the matter, people familiar with the matter say.

Meanwhile, the cable network is playing Whac-A-Mole. It managed to take down the website and digital locker the hacker initially used to distribute show material after sending takedown notices to internet-service providers, according to the person familiar with the matter. It alerted potentially exposed “Game of Thrones” cast members of the hack before Mr. Smith posted material that includes some of their phone numbers.

In a statement, HBO Chairman and Chief Executive Richard Plepler said, “The consensus here was a path to transparency. When something like this happens, the best you can do is try to protect the people you work with inside and outside the company. That’s what our focus has been.”

Unlike retailers, entertainment firms usually don’t shoulder the burden of protecting customer-account details, because that is handled by cable, satellite and web-TV distributors.

The urgent worry is that fewer viewers will watch episodes that can cost several million dollars each if hackers supply a stream of spoilers. That hasn’t happened yet. The last “Game of Thrones” episode, which aired on Aug. 6 attracted a record 10.2 million viewers.

The fear also relates to the chance of emails emerging that could hurt relations with talent or other companies. In the Sony hack, then-studio chief Amy Pascal was embarrassed by emails in which she made a joke about President Barack Obama’s taste in movies as well as disparaging remarks about actors, including Adam Sandler.

“Leakage will be your worst nightmare; your competitors will know about current & future strategies, your inner circle inside HBO & senior staff will be thrown into chaos,” the hackers promised in a video note to Mr. Plepler they posted earlier this week.

HBO has said it expects more information to leak out but said its review of the matter “has not given us a reason to believe that our email system as a whole has been compromised.”

After the Sony hack, many entertainment companies, including HBO’s parent Time Warner Inc., beefed up their own security.

Around the same time, though, in a cost-saving move, Time Warner centralized much of the technology operations that previously existed in the individual units, which also include Turner and Warner Bros.

Now that strategy is being rethought, and the individual units are being encouraged to take on more autonomy and responsibility for their own technology infrastructure, the person familiar with the matter said.

Prior to the HBO hack, sister unit Turner Broadcasting had already begun the process of overhauling some of its information technology after an assessment revealed that a hack into one network, such as Cartoon Network, could easily be a gateway into CNN.

The HBO hack also comes as Time Warner is in the process of being acquired by AT&T Inc. However, the hack isn’t expected to have any effect on the sale or the terms of the deal, according to media analyst Michael Nathanson of MoffettNathanson Research. An AT&T spokesman declined to comment.

Cybersecurity expert Mr. Grossman, who has tested security networks for Hollywood TV and movie companies, said these firms are vulnerable because they work with so many partners that “their data is all over the place.”

Write to Joe Flint at joe.flint@wsj.com and Tripp Mickle at Tripp.Mickle@wsj.com

https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802

Related:

HBO hackers demand millions in ransom note

August 8, 2017

AFP

© AFP/File | Hackers claiming to have breached HBO are demanding a ransom, threatening to leak more content from the popular show “Game of Thrones” if the network refuses to pay

WASHINGTON (AFP) – Hackers claiming to have breached HBO were demanding millions of dollars in ransom payments from the television group, while threatening to release more files from what is claimed to be a massive data breach.A video circulating online directs a message to HBO chief Richard Plepler claiming that the group “obtained valuable information” in an attack that yielded a whopping 1.5 terabytes of data.

The message was authored by someone identified only as “Mr. Smith.”

The website Databreaches.net reported that 10 files were leaked Monday as part of the demand including what may be another script of the popular fantasy series “Game of Thrones.”

The video revealed a letter stating the hackers obtained “highly confidential” documents and data including scripts, contracts and personnel files.

“We want XXX dollars to stop leaking your data,” the letter said, later alluding to a figure of half the group’s annual budget of $12 million to $15 million.

It went on to say, “HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!”

The message comes a week after a leak of one script of “Games of Thrones” and content from other productions.

The letter said HBO was the 17th target for the hacking group and that “only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely.”

HBO said in a statement that it believed that further leaks might emerge from the breach and that “the forensic review is ongoing.”

“While it has been reported that a number of emails have been made public, the review to date has not given us a reason to believe that our email system as a whole has been compromised,” the statement from the Time Warner unit said.

“We continue to work around the clock with outside cybersecurity firms and law enforcement to resolve the incident.”

Israel Security Chief: Agency Strikes Back at Online Hackers — Offensive cyber counterattacks

June 27, 2017

JERUSALEM — Israel’s security chief says his agency, the Shin Bet, has gone on the offensive against hackers trying to carry out cyberattacks against Israel on the internet.

The remarks by Nadav Argaman are a rare admission of Israel’s use of offensive cyber capabilities.

Argaman spoke at a cyber defense conference in Tel Aviv on Tuesday.

He says that “passive defense” is not enough, and that the Shin Bet studied hackers’ strategies and developed “a variety of ways and methods” on how to strike back.

Israeli cyber officials are ordinarily reluctant to discuss the use of offensive capabilities against hackers.

Apple’s mounting problems in China: Apple Customer Data in China Was Sold Illegally, Police Say

June 10, 2017

To Apple’s mounting problems in China, add official scrutiny over privacy.

The Chinese police said this week that they had arrested 22 people suspected of selling the personal data of an unspecified number of Apple customers. The police, in Cangnan County in the eastern province of Zhejiang, said the thieves had reaped 50 million renminbi, or about $7.3 million, over an unspecified period.

Many of the details were unclear, including the identities of those involved and the severity of the breach.

In a statement on Wednesday, the Cangnan police said they found that Apple employees had illegally acquired personal data, then later in the same statement said 20 of the 22 people worked for companies that sell Apple products or are Apple contractors. The police did not disclose information about the other two people. In China, Apple’s products are sold broadly, in electronics chain stores and small booths in shopping malls in addition to the company’s official Apple Stores.

The Cangnan police also said the data included the names, Apple identification numbers and phone numbers of Apple users. They did not say whether passwords or financial information like credit card numbers were involved, which would suggest the thieves had access to internal Apple data and would make the breach more serious.

The arrests are part of a set of broader difficulties in China for Apple, which is based in Cupertino, Calif. Sales of iPhones, still a sign of middle-class aspiration in China, have slowed, according to analysts, as the public waits for new models and as Chinese manufacturers of cheaper phones step up their quality and marketing.

Apple has also faced new scrutiny from the government on other fronts. Last year its movie and book services were shut down in China.

Still, Apple may simply be caught up in a wider rising of concern over privacy in China.

Few people in China expect the country’s authoritarian central government to stay out of their business. But outside of that, a growing number of Chinese people fear cybercrime and identity theft, particularly as millions of them turn to online shopping and using money electronically.

Between widespread malware campaigns and a large number of new internet users, China has become a playground for internet fraudsters. Last year, China tried 361 criminal cases involving violation of personal data, up from 176 in 2015, said Xie Yongjiang, associate director for the Institute of Internet Governance and Law at the Beijing University of Posts and Telecommunications.

“It is very common. Every one of us can feel it,” Mr. Xie said. “For example, after your child is born at a hospital, someone will phone you and ask if you need baby products. When your child turns 3, someone will phone you and ask if your child would go to their nursery school. When your child reaches primary school age, someone will phone you to ask if you need training services.”

“You have no idea who exposed your personal data,” he added.

The problem is not new. In one incident reported in the Chinese news media just this week, an employee of a Shanghai delivery company was recently arrested on suspicion of selling clients’ personal data.

Other examples abound. An apparent trove of login information leaked onto the Chinese internet was used to hack more than 20 million accounts on Alibaba’s e-commerce site Taobao, according to news reports. Alibaba said that its security systems had not been breached and that it had worked with the police to quickly catch the perpetrators.

In another example, China News Service, a state-run news agency, reported late last year that login information and other personal data from accounts associated with the Chinese e-commerce site JD.com were exposed in 2013 as part of a security problem. JD.com said it had quickly fixed the issue.

The problem is not even new to Apple. Last year, 10 employees of an Apple contractor in China were also found with data from more than 80,000 users.

Related:

Chinese Apple staff suspected of selling private data

June 8, 2017

AFP

© AFP | Chinese authorities say they have uncovered a massive underground operation run by Apple employees selling computer and phone users’ personal data.

BEIJING (AFP) – 

Chinese authorities say they have uncovered a massive underground operation run by Apple employees selling computer and phone users’ personal data.

Twenty-two people have been detained on suspicion of infringing individuals’ privacy and illegally obtaining their digital personal information, according to a statement Wednesday from local police in southern Zhejiang province.

Of the 22 suspects, 20 were Apple employees who allegedly used the company’s internal computer system to gather users’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million).

The statement did not specify whether the data belonged to Chinese or foreign Apple customers.

Following months of investigation, the statement said, police across more than four provinces — Guangdong, Jiangsu, Zhejiang, and Fujian — apprehended the suspects over the weekend, seizing their “criminal tools” and dismantling their online network.

The suspects, who worked in direct marketing and outsourcing for Apple in China, allegedly charged between 10 yuan ($1.50) and 180 yuan ($26.50) for pieces of the illegally extracted data.

The sale of personal information is common in China, which implemented on June 1 a controversial new cybersecurity law aimed at protecting the country’s networks and private user information.

In December, an investigation by the Southern Metropolis Daily newspaper exposed a black market for private data gathered from police and government databases.

Reporters successfully obtained a trove of material on one colleague — including flight history, hotel checkouts and property holdings — in exchange for a payment of 700 yuan ($100).

Related:

China’s New Cybersecurity Law Tested by iPhone Information Theft

June 7, 2017

Foreign technology companies said they were uncertain how the new law would affect their operations

Image result for apple store in China, photos

The Wall Street Journal
June 7, 2017 9:38 a.m. ET

BEIJING—A week after China’s first cybersecurity law took effect, an investigation over the alleged theft and sale of iPhone users’ information looked set to test how well Apple Inc. and other foreign companies protect Chinese citizens’ personal data.

Police in eastern China said they had detained 22 people, including 20 from Apple “direct sales outlets” in China and companies Apple outsources services to. Police said those detained had used Apple’s internal system to illegally obtain information associated with iPhone products like phone numbers, names and Apple IDs, and then sold the information.

A statement by police in Cangnan county in Zhejiang province gave no further information on the Apple outlets involved, or details on the two other people detained. Calls to the police’s news department went unanswered.

The statement said the 22, who were detained May 3, charged from 10 yuan ($1.50) to 180 yuan for each piece of information and that the total amount of money involved was over 50 million yuan.

An Apple spokeswoman in China didn’t respond to a request for comment.

China has long struggled to rein in a robust black market in personal information, prompting one political activist last year to purchase and publish in a form of protest the private data of several Chinese tech CEOs, including Alibaba Group Holding Ltd. co-founder Jack Ma. The activist showed evidence of one vendor offering to sell personal information ostensibly belonging to Chinese President Xi Jinping for 1,000 yuan.

A core aim of the cybersecurity law is to better protect individuals’ private data, authorities have said.

iPhone users’ information is highly prized on the black market because of the belief they are more affluent. Obtaining data such as a user’s Apple ID could help hackers lock iPhones remotely and then demand payment from the user to unlock it. The potential for abuse widens further if hackers gain access to a user’s cloud storage.

Ahead of the June 1 implementation of the cybersecurity law, foreign technology companies expressed concern, saying they were uncertain how it would affect their operations. Specific measures to comply with the law’s mandates on protection of personal information are still being worked out, according to the regulator, China’s Cyberspace Administration.

Under earlier laws, companies have largely escaped punishment when employees used their access to internal computer systems to steal users’ personal data, according to Liu Chunquan, an intellectual property lawyer with Shanghai-based Duan & Duan Law Firm.

That has changed under the cybersecurity law, Mr. Liu said, with companies now potentially facing fines and other punishment by regulators unless they can prove their systems weren’t to blame for leaks.

“Now with this law, Apple as a company faces much greater legal risk than it would have before,” he said.

A company could face fines of as much as 10 times the illegal revenue from a theft if it is found to have had inadequate protections against a leak, according to the law. In serious situations, regulators can temporarily close or revoke the business licenses of companies found in violation of the new law.

Based on information police have released so far, government authorities could now have grounds to look into potential holes in Apple’s internal data management in China, said You Yunting, a partner with Shanghai-based DeBund Law Offices.

Cangnan police posted a series of photos of officers detaining and interrogating the detainees on the popular WeChat messaging app. In one image, several people are shown standing in front of a police station in handcuffs. They are accompanied by what appears to be plainclothes police, including one holding a bouquet of flowers.

Yang Jie and Josh Chin contributed to this article

(END) Dow Jones Newswires

June 07, 2017 09:53 ET (13:53 GMT)

https://www.wsj.com/articles/chinas-new-cybersecurity-law-tested-by-iphone-information-theft-1496842716