New York – A U.S. man is suing Apple for $5 million after claiming he was permanently locked out of his iCloud account following the theft of his iPhone—an incident that he says cost him access to years of personal and professional data. The case, first reported by The Washington Post, brings fresh scrutiny to Apple’s Advanced Data Protection (ADP) policy and its account recovery mechanisms.
Michael Mathews, the plaintiff in the lawsuit, alleges that Apple’s security policies—specifically the Recovery Key process under ADP—are deeply flawed. After his iPhone was stolen, Mathews says he lost access to 2TB of vital iCloud data, which included everything from tax documents and work-related research to family photos and his entire music collection. He also claims the data loss forced the closure of his tech consulting business.
The Recovery Key Debate
Central to the case is Apple’s 28-digit Recovery Key, which is required under ADP to recover encrypted data. ADP offers end-to-end encryption for iCloud content, enhancing user privacy. However, once enabled, it removes Apple’s ability to assist in account recovery—placing full responsibility on the user to retain the Recovery Key.
Mathews alleges that the thief who stole his iPhone may have gained access using the device’s passcode, subsequently changing both the Apple ID password and the Recovery Key. Without the updated key, Mathews claims he was left completely locked out of his digital identity, with no recourse—even from Apple.
Legal Action and Industry Implications
The lawsuit, filed in the U.S. District Court for the Northern District of California, is currently in the discovery phase. Mathews is seeking not only access to his iCloud data but also $5 million in damages, citing the loss of personal memories and the collapse of his business operations.
The case touches on broader issues such as digital identity ownership, consumer rights, and corporate responsibility in a world increasingly reliant on cloud-based data storage.
It’s important to note that without ADP enabled, Apple does retain the encryption keys and can assist users with account recovery after verifying identity. However, with ADP turned on, Apple intentionally removes itself from the recovery process to enhance privacy—an approach that, while secure, can prove unforgiving in cases of theft or loss.
Apple Responds with Caution
While Apple has not commented on the specifics of the lawsuit, a company spokesperson shared a general statement:
“We take all attacks on our users very seriously, no matter how rare”.
As the case moves forward, the tech industry will be watching closely. The outcome could influence how companies balance user privacy with account recoverability, and whether policies like Apple’s ADP require reconsideration in light of real-world user vulnerabilities.
